Tag: supply-chain

21 posts

The Reviewer Shortage: Three Open-Source Projects, Three Responses to AI Contributions

·
Jul 2, 2026

Unbundling the standard library

Batteries no longer included, available separately on aisle four


A
Andrew Nesbitt
nesbitt.io
·
Jun 29, 2026

What Happened to tea.xyz

Reading the tea leaves


A
Andrew Nesbitt
nesbitt.io
·
Jun 11, 2026

gittuf - a signed log for git refs

Branch protection is a row in someone else's database


A
Andrew Nesbitt
nesbitt.io
·
Jun 4, 2026

Composer's dependency policies

uBlock Origin for composer install


A
Andrew Nesbitt
nesbitt.io
·
May 29, 2026

Protestware for coding agents

printMessageForCodingAgents()


A
Andrew Nesbitt
nesbitt.io
·
May 28, 2026

GitHub Actions security in Python packages

Thank you Dr. Zizmor


A
Andrew Nesbitt
nesbitt.io
·
May 25, 2026

Signing is for the bad days

TUF, in-toto, and Sigstore only look pointless while nothing is on fire


A
Andrew Nesbitt
nesbitt.io
·
May 24, 2026

Dependency Pruning

A survey of unused-dependency detectors


A
Andrew Nesbitt
nesbitt.io
·
May 22, 2026

Dumb Ways for an Open Source Project to Die

How your dependencies became Bernies


A
Andrew Nesbitt
nesbitt.io
·
May 19, 2026

Language Registries Are Unstable by Default

apt install -t unstable, but make it your whole personality


A
Andrew Nesbitt
nesbitt.io
·
May 15, 2026

Weekend at Bernie's

Which of your dependencies are wearing sunglasses


A
Andrew Nesbitt
nesbitt.io
·
May 8, 2026

Free as in Tribbles

The next metaphor after free-as-in-puppy


A
Andrew Nesbitt
nesbitt.io
·
May 7, 2026

GitHub Actions is the weakest link

Anne Robinson would like a word with .github/workflows


A
Andrew Nesbitt
nesbitt.io
·
Apr 28, 2026

The Tuesday Test

Like the Turing test but with more tacos.


A
Andrew Nesbitt
nesbitt.io
·
Apr 15, 2026

Who Built This?

Tracing a dependency back to its source commit.


A
Andrew Nesbitt
nesbitt.io
·
Apr 7, 2026

The Crime Was Meaning the Terms, Part II: Two Courts, Two Strategies

·
Apr 1, 2026

The Fragmented World of Dependency Policy

Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.


A
Andrew Nesbitt
nesbitt.io
·
Mar 19, 2026

Reviewing ENISA's Package Manager Advisory

Notes on ENISA's Technical Advisory for Secure Use of Package Managers.


A
Andrew Nesbitt
nesbitt.io
·
Mar 12, 2026

git-pkgs/actions

How to add git-pkgs to your GitHub Actions workflows.


A
Andrew Nesbitt
nesbitt.io
·
Mar 11, 2026

Package Management at FOSDEM 2026

Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.


A
Andrew Nesbitt
nesbitt.io
·
Feb 3, 2026