Articles from nesbitt.io
7 kept
- Open Source vs the Invisible Hand
Open source software production defies standard economic theory by producing stable, valuable, and widely-used goods despite lacking price signals, contracts, or incentives that textbooks predict are necessary.
- Package managers that package package managers
Andrew Nesbitt built a matrix showing which of 42 package managers can install each other, finding a 14-hop chain from AUR to an Elm compiler.
- Dumb Ways for an Open Source Project to Die
The piece enumerates dozens of distinct ways open-source projects become effectively dead, from maintainer abandonment to sabotage and ecosystem shifts.
- GitHub Actions is the weakest link
GitHub Actions' default features—mutable tags, pull_request_target, template injection, and write-scoped tokens—have enabled a chain of supply-chain attacks on open-source registries, and GitHub's opt-in security roadmap won't fix the root causes.
- Package Managers Need to Cool Down
A survey finds that while many package managers and update tools have adopted dependency cooldowns to prevent supply chain attacks, implementations vary wildly in naming, scope, and timestamp handling, and major ecosystems like Go, Maven, and Gradle still lack support.
- Cursed Bundler: Using go get to install Ruby Gems
Go's module proxy and transparency log can be repurposed to fetch and verify Ruby gems with better integrity guarantees than RubyGems itself.
- Package managers keep using git as a database, it never works out
Package managers that use git as a database for registry data inevitably hit scaling limits, forcing migrations to HTTP-based or CDN-backed solutions.