Reports

Detailed investigations. Living documents. Taxonomies. Reference materials. Our reports help Open Source folks do better work and design better policies and institutions.

Reports

Featured Posts

Binary Dependencies: Identifying the Hidden Packages We All Depend On

Burnout in Open Source: A Structural Problem We Can Fix Together

All Posts

Software Supply Chains

Dumb Ways for an Open Source Project to Die

Binary Dependencies: Identifying the Hidden Packages We All Depend On

How Binary Dependencies Work Across Different Languages

Typosquatting in Package Managers

Supply Chain Security Tools for Ruby

Maintainer Well-Being

Burnout in Open Source: A Structural Problem We Can Fix Together

Funding Tech Infrastructure

Open Source Foundation Financials

Why and How Companies Should Pay Open Source Maintainers

Project Governance

Open Source: Deceptive Power or Collective Governance?

Package Management

Package Manager Threat Models

Package Manager CWEs

Package Security Defenses for AI Agents

Package Security Problems for AI Agents

The Roles of Packages

Package Manager Mirroring

Package Manager Magic Files

Platform Strings

Package Management Namespaces

Dependency Resolution Methods

Lockfile Format Design and Tradeoffs

Package Manager People

Package Manager Glossary

Package Management Blog Posts

The Package Management Landscape

Categorizing Package Manager Clients

Categorizing Package Registries

Package Manager Design Tradeoffs

What is a Package Manager?

Package Management Commands

Package Manager Archives

Package Manager Hooks

Package Manager Manifest Examples

Package Manager OpenAPI Schemas

Package Manager Resolvers

Package Managers OPML

Package Manager Timeline

Package Management Papers

From ZeroVer to SemVer: A List of Versioning Schemes in Open Source

Tooling

Git Remote Helpers

Forge-Specific Repository Folders

The Many Flavors of Ignore Files

Git's Magic Files

Extending Git Functionality