Ideas

We regularly write about Open Source governance and burnout, software supply chains, package management, funding and metrics, and other topics in Open Source sustainability.

Ideas

Featured Posts

Weekend at Bernie's

All Posts

Software Supply Chains

GitHub Actions security in Python packages

Dependency Pruning

Not a Security Issue

Weekend at Bernie's

Free as in Tribbles

Revisiting the 2015 Open Source Census

GitHub Actions is the weakest link

Who Built This?

The Cathedral and the Catacombs

The Fragmented World of Dependency Policy

Reviewing ENISA's Package Manager Advisory

Transitive Trust

Downstream Testing

Two Kinds of Attestation

The C-Shaped Hole in Package Management

How I Assess Open Source Libraries

Slopsquatting meets Dependency Confusion

Maintainer Well-Being

Open Source Burnout Claims Another Project

Respectful Open Source

Funding Tech Infrastructure

How OSPOs can Measure the Impact of OSS Funding

Not Paying Open Source Maintainers Is Expensive

Software Metrics

Centrality is not vitality

The Mismeasure of Open Source

Project Governance

The Dependency Layer in Digital Sovereignty

Package Registries Are Governance Providers

Philosophy

What does Open Source mean?

npmx: A Lesson in Open Source's Collaboration Feedback Loops

Whale Fall

Keystone Maintainers Keep the Internet Going

Package Management

Signing is for the bad days

Language Registries Are Unstable by Default

Patching and forking in package managers

The stages of package installation

The Tuesday Test

Standing on the shoulders of Homebrew

Common Package Specification

Package Registries and Pagination

npm's Defaults Are Bad

What's Going On with FAIR Package Manager

If It Quacks Like a Package Manager

Package Managers Need to Cool Down

Package Management is Naming All the Way Down

Reproducible Builds in Language Package Managers

Where Do Specifications Fit in the Dependency Tree?

What Package Registries Could Borrow from OCI

Separating Download from Install in Docker Builds

Lockfiles Killed Vendoring

Package Manager Podcast Episodes

Crates.io's Freaky Friday

Package Management at FOSDEM 2026

Will AI Make Package Managers Redundant?

Zig and the M×N Supply Chain Problem

PkgFed: ActivityPub for Package Releases

Package Management is a Wicked Problem

A Protocol for Package Management

A Jepsen Test for Package Managers

importmap.lock: a lockfile for the web

Workspaces and Monorepos in Package Managers

How Dependabot Actually Works

Community Tools Bring Lockfile Support to GitHub Actions

The Compact Index: How Bundler Scales Dependency Resolution

How to Ruin All of Package Management

How uv got so fast

Cursed Bundler: Using go get to install Ruby Gems

Package managers keep using git as a database, it never works out

Could lockfiles just be SBOMs?

Federated Package Management and the Zooko Triangle

Why JavaScript Needed Docker

Docker is the Lockfile for System Packages