Top SitesAndrew Nesbitt | Software Engineer and Package Management Nerd

Machine Readiness

Stored receipt and evidence

Overall

16

Readable

55

Callable

0

Commerce

0

Payment

0

Machine Access

Inspect the site's MCP endpoint

Open MCP explorer

DialtoneApp can scan the stored discovery files for this domain, try the MCP initialize handshake, and show the raw protocol transcript.

Purchase boundary

read only

Control boundary

unknown

Payment rails

None

Payment providers

None

Payment methods

None

Payment protocols

None

Payment assets

None

Payment networks

None

Capabilities

None

Verified payment surface

No

Crypto only

No

Readable docs

llms

Products

0

Variants

0

Priced variants

0

Currencies

0

Offers

0

Priced offers

0

Priced actions

0

Samples

Offer samples

No stored offer samples.

Samples

Action samples

No stored action samples.

Samples

Product samples

No stored product samples.

Document

robots.txt

Not stored for this site.

Document

llms.txt

Open llms.txt
# Andrew Nesbitt

Package management and open source metadata expert. Building Ecosyste.ms, open datasets and tools for critical open source infrastructure.

## Posts:

- [Exploring Unseen Open Source Infrastructure](/2017/02/24/exploring-unseen-open-source-infrastructure.html)
  Date: 2017-02-24
  Highly used open source libraries that have almost no stars or attention on GitHub.
  Tags: open-source, infrastructure, dependencies, github
- [What does a sustainable open source project look like?](/2017/11/10/what-does-a-sustainable-open-source-project-look-like.html)
  Date: 2017-11-10
  What a successful, sustainable open source project looks like, the work people do on it, and the community it needs.
- [Untangle your GitHub Notifications with Octobox](/2018/11/25/untangle-your-github-notifications-with-octobox.html)
  Date: 2018-11-25
  Octobox helps you manage your GitHub notifications in the same way Gmail helps you with email, it's now available on the GitHub Marketplace.
  Tags: ruby, github, open-source, productivity
- [Making 24 Pull Requests more inclusive for 2018](/2018/11/29/making-24-pull-requests-more-inclusive-for-2018.html)
  Date: 2018-11-29
  24 Pull Requests is back for it's 6th year and this time we're making it more inclusive to all kinds of contributions.
  Tags: open-source, challenge, christmas
- [Ecosyste.ms 2023 End of Year Update](/2023/12/21/2023-ecosystems-end-of-year-update.html)
  Date: 2023-12-21
  Wrapping up what we've been up to over the past year on https://ecosyste.ms
  Tags: open-source, ecosyste.ms, github
- [From ZeroVer to SemVer: A List of Versioning Schemes in Open Source](/2024/06/24/from-zerover-to-semver-a-comprehensive-list-of-versioning-schemes-in-open-source.html)
  Date: 2024-06-24
  A curated catalogue of versioning schemes used in open source software—from the conventional to the creative.
  Tags: versioning, open-source, software development, semver, package-managers, reference, history
- [Package Management Papers](/2025/11/13/package-management-papers.html)
  Date: 2025-11-13
  A collection of academic research papers on package management systems, dependency resolution, supply chain security, and software ecosystems.
  Tags: package-managers, research, dependencies, history, reference
- [Package Manager Timeline](/2025/11/15/package-manager-timeline.html)
  Date: 2025-11-15
  A chronological timeline of package manager releases, major milestones, and significant events in the history of software dependency management.
  Tags: package-managers, history, dependencies, reference
- [Podcast Interviews 2025](/2025/11/17/podcast-interviews-2025.html)
  Date: 2025-11-17
  A collection of podcast interviews discussing ecosyste.ms, open source metadata, package management, and software sustainability.
  Tags: podcasts, ecosyste.ms, open-source, sustainability
- [Extending Git Functionality](/2025/11/26/extending-git-functionality.html)
  Date: 2025-11-26
  A practical guide to the different ways you can extend git: subcommands, filters, hooks, remote helpers, and more.
  Tags: git, tools, reference
- [Community Benchmarks for AI Coding Tools](/2025/11/27/community-benchmarks-for-ai-coding-tools.html)
  Date: 2025-11-27
  AI coding benchmarks are heavily skewed toward Python and JavaScript. Framework maintainers could change that by defining what good code looks like in their ecosystems.
  Tags: ai, open-source, benchmarks, maintainers
- [Revisiting Gitballs](/2025/11/28/revisiting-gitballs.html)
  Date: 2025-11-28
  Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.
  Tags: open-source, package-managers, git, software heritage, tools
- [A Taxonomy for Open Source Software](/2025/11/29/oss-taxonomy.html)
  Date: 2025-11-29
  I'm working on a structured taxonomy for classifying open source projects across multiple dimensions: domain, role, technology, audience, layer, and function.
  Tags: open-source, metadata, taxonomy, ecosyste.ms
- [Documenting Package Manager Data](/2025/11/30/documenting-package-manager-data.html)
  Date: 2025-11-30
  Six repositories documenting how package managers work: commands, manifests, APIs, hooks, and more.
  Tags: open-source, package-managers, ecosyste.ms, reference
- [PromptVer](/2025/12/01/promptver.html)
  Date: 2025-12-01
  A semver-compatible versioning scheme for the age of LLMs.
  Tags: versioning, ai, semver, package-managers, satire
- [What is a Package Manager?](/2025/12/02/what-is-a-package-manager.html)
  Date: 2025-12-02
  What is a package manager? Perhaps quite a few more components than you might think
  Tags: package-managers, reference
- [Package Manager Design Tradeoffs](/2025/12/05/package-manager-tradeoffs.html)
  Date: 2025-12-05
  Design tradeoffs in package managers
  Tags: package-managers, rust, reference
- [GitHub Actions Has a Package Manager, and It Might Be the Worst](/2025/12/06/github-actions-package-manager.html)
  Date: 2025-12-06
  GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
  Tags: package-managers, github, git
- [Why I'm Fascinated by Package Management](/2025/12/09/why-im-fascinated-by-package-management.html)
  Date: 2025-12-09
  From gaming magazine CDs to dependency graphs
  Tags: package-managers
- [Slopsquatting meets Dependency Confusion](/2025/12/10/slopsquatting-meets-dependency-confusion.html)
  Date: 2025-12-10
  LLMs can leak internal package names, making dependency confusion attacks easier to scale.
  Tags: security, package-managers
- [Building Ecosyste.ms Polite API Rate Limits](/2025/12/11/building-ecosytems-polite-api-rate-limits.html)
  Date: 2025-12-11
  Tiered rate limiting that rewards good citizenship: API keys, polite users, and everyone else.
  Tags: ecosyste.ms, apisix
- [Supply Chain Security Tools for Ruby](/2025/12/14/supply-chain-security-tools-for-ruby.html)
  Date: 2025-12-14
  Ruby implementations of PURL, VERS, SBOM, SWHID, and SARIF specs.
  Tags: ruby, sbom, package-managers, tools
- [How I Assess Open Source Libraries](/2025/12/15/how-i-assess-open-source-libraries.html)
  Date: 2025-12-15
  What I actually look at when deciding whether to adopt a dependency.
  Tags: open-source, package-managers, dependencies
- [Typosquatting in Package Managers](/2025/12/17/typosquatting-in-package-managers.html)
  Date: 2025-12-17
  A reference guide to typosquatting techniques, real-world examples, and detection tools.
  Tags: security, package-managers
- [Docker is the Lockfile for System Packages](/2025/12/18/docker-is-the-lockfile-for-system-packages.html)
  Date: 2025-12-18
  Why Docker filled the reproducibility gap that system package managers left open
  Tags: package-managers, docker, deep-dive
- [Why JavaScript Needed Docker](/2025/12/19/why-javascript-needed-docker.html)
  Date: 2025-12-19
  How Docker became JavaScript's real lockfile
  Tags: package-managers, npm, docker, deep-dive
- [Package Managers Devroom at FOSDEM 2026: Schedule Announced](/2025/12/20/fosdem-2026-package-managers-devroom-schedule.html)
  Date: 2025-12-20
  Nine talks on supply chain security, dependency resolution, and registry economics
  Tags: package-managers, fosdem, conferences
- [Federated Package Management and the Zooko Triangle](/2025/12/21/federated-package-management.html)
  Date: 2025-12-21
  The trade-offs that make decentralized package management impractical
  Tags: package-managers, deep-dive
- [Jekyll Stats Plugin](/2025/12/21/jekyll-stats-plugin.html)
  Date: 2025-12-21
  A Jekyll plugin that adds a stats command to show word counts, reading time, posting frequency, and tag distributions.
  Tags: open-source, ruby, jekyll
- [Package Registries Are Governance Providers](/2025/12/22/package-registries-are-governance-as-a-service.html)
  Date: 2025-12-22
  Registries host files, but they also decide who owns names, how disputes resolve, and what gets removed. That second job is governance.
  Tags: package-managers, deep-dive
- [Could lockfiles just be SBOMs?](/2025/12/23/could-lockfiles-just-be-sboms.html)
  Date: 2025-12-23
  Lockfiles and SBOMs record the same information in different formats. What if package managers used SBOMs directly, instead of converting later?
  Tags: package-managers, sbom, idea
- [Package managers keep using git as a database, it never works out](/2025/12/24/package-managers-keep-using-git-as-a-database.html)
  Date: 2025-12-24
  Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.
  Tags: package-managers, git, rust, go, deep-dive
- [Cursed Bundler: Using go get to install Ruby Gems](/2025/12/25/cursed-bundler-using-go-get-to-install-ruby-gems.html)
  Date: 2025-12-25
  Go's module system accidentally created a universal, content-addressed, transparency-logged package CDN. You could abuse this for any language.
  Tags: package-managers, go, ruby, idea
- [How uv got so fast](/2025/12/26/how-uv-got-so-fast.html)
  Date: 2025-12-26
  uv's speed comes from engineering decisions, not just Rust. Static metadata, dropping legacy formats, and standards that didn't exist five years ago.
  Tags: package-managers, python, deep-dive
- [How to Ruin All of Package Management](/2025/12/27/how-to-ruin-all-of-package-management.html)
  Date: 2025-12-27
  Attach financial incentives to open source metrics and watch the spam flood in.
  Tags: package-managers, security
- [The Compact Index: How Bundler Scales Dependency Resolution](/2025/12/28/the-compact-index.html)
  Date: 2025-12-28
  The append-only index format that saved RubyGems.org, inspired Cargo's sparse index, and could speed up npm and PyPI too.
  Tags: package-managers, ruby, rust, deep-dive
- [Categorizing Package Manager Clients](/2025/12/29/categorizing-package-manager-clients.html)
  Date: 2025-12-29
  Sorting package manager clients by resolution algorithms, lockfile strategies, build hooks, and manifest formats.
  Tags: package-managers, reference
- [Categorizing Package Registries](/2025/12/29/categorizing-package-registries.html)
  Date: 2025-12-29
  Sorting package registries by architecture, review model, namespacing, governance, and other structural differences.
  Tags: package-managers, reference
- [Community Tools Bring Lockfile Support to GitHub Actions](/2025/12/30/community-tools-bring-lockfile-support-to-github-actions.html)
  Date: 2025-12-30
  Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
  Tags: package-managers, github, git, tools
- [Open Source Activity in 2025](/2025/12/31/open-source-activity-in-2025.html)
  Date: 2025-12-31
  A look back at my open source work in 2025: ecosyste.ms, supply chain security tooling, and Ruby gems
  Tags: open-source, github
- [git-pkgs: explore your dependency history](/2026/01/01/git-pkgs-explore-your-dependency-history.html)
  Date: 2026-01-01
  A git subcommand to explore the dependency history of your repositories.
  Tags: open-source, package-managers, git, tools, git-pkgs
- [How Dependabot Actually Works](/2026/01/02/how-dependabot-actually-works.html)
  Date: 2026-01-02
  Inside dependabot-core's architecture, its reliance on proprietary GitHub infrastructure, and open source alternatives
  Tags: package-managers, github, dependencies, deep-dive
- [The Package Management Landscape](/2026/01/03/the-package-management-landscape.html)
  Date: 2026-01-03
  A directory of tools, systems, and services that relate to package management.
  Tags: package-managers, reference
- [Making git-pkgs feel like Git](/2026/01/04/making-git-pkgs-feel-like-git.html)
  Date: 2026-01-04
  What it takes to make a git subcommand feel native.
  Tags: open-source, package-managers, git, tools, git-pkgs
- [The Nine Levels of JavaScript Dependency Hell](/2026/01/05/the-nine-levels-of-javascript-dependency-hell.html)
  Date: 2026-01-05
  Come, I will show you what I have seen.
  Tags: package-managers, javascript, npm, satire
- [brew-vulns: CVE scanning for Homebrew](/2026/01/08/brew-vulns-cve-scanning-for-homebrew.html)
  Date: 2026-01-08
  A new Homebrew subcommand that scans your installed packages for known vulnerabilities using the OSV database.
  Tags: package-managers, homebrew, tools
- [Package Management Blog Posts](/2026/01/09/package-management-blog-posts.html)
  Date: 2026-01-09
  Blog posts, talks, and essays that changed how people think about dependency management.
  Tags: package-managers, history, reference
- [16 Best Practices for Reducing Dependabot Noise](/2026/01/10/16-best-practices-for-reducing-dependabot-noise.html)
  Date: 2026-01-10
  A practical guide to ignoring security updates responsibly
  Tags: package-managers, dependencies, satire
- [Package Manager Glossary](/2026/01/13/package-manager-glossary.html)
  Date: 2026-01-13
  A cross-ecosystem glossary of package management terms.
  Tags: package-managers, reference
- [Package Manager People](/2026/01/14/package-manager-people.html)
  Date: 2026-01-14
  People who built, maintain, or research package managers.
  Tags: package-managers, research, reference
- [Lockfile Format Design and Tradeoffs](/2026/01/17/lockfile-format-design-and-tradeoffs.html)
  Date: 2026-01-17
  Lockfile format tradeoffs, best practices, and a survey of existing formats across package managers.
  Tags: package-managers, deep-dive
- [Workspaces and Monorepos in Package Managers](/2026/01/18/workspaces-and-monorepos-in-package-managers.html)
  Date: 2026-01-18
  How various package managers implement workspaces and their relationship with monorepos.
  Tags: package-managers, monorepo, deep-dive
- [A Jepsen Test for Package Managers](/2026/01/19/a-jepsen-test-for-package-managers.html)
  Date: 2026-01-19
  Applying Jepsen-style adversarial testing to package managers.
  Tags: package-managers, idea
- [importmap.lock: a lockfile for the web](/2026/01/19/importmap-lock.html)
  Date: 2026-01-19
  Extending import maps with package metadata to improve dependency management and security for browser-native JavaScript.
  Tags: package-managers, javascript, importmap, idea
- [The Lesser Evil of Compliance: Enterprise SBOM Strategy for CRA Readiness](/2026/01/20/the-lesser-evil-of-compliance.html)
  Date: 2026-01-20
  You are not paid to find good options. You are paid to choose.
  Tags: package-managers, dependencies, satire, the-path
- [An AI Skill for Skeptical Dependency Management](/2026/01/21/an-ai-skill-for-skeptical-dependency-management.html)
  Date: 2026-01-21
  A skill that makes Claude Code evaluate packages before suggesting them.
  Tags: package-managers, tools
- [A Protocol for Package Management](/2026/01/22/a-protocol-for-package-management.html)
  Date: 2026-01-22
  A shared vocabulary for resolution, publishing, and governance across ecosystems.
  Tags: package-managers, idea
- [Package Management is a Wicked Problem](/2026/01/23/package-management-is-a-wicked-problem.html)
  Date: 2026-01-23
  Why fixing package managers is harder than it looks.
  Tags: package-managers, idea
- [Rewriting git-pkgs in Go](/2026/01/24/rewriting-git-pkgs-in-go.html)
  Date: 2026-01-24
  The dependency history tool is now a single Go binary.
  Tags: open-source, package-managers, git, tools, git-pkgs, go
- [PkgFed: ActivityPub for Package Releases](/2026/01/25/pkgfed-activitypub-for-package-releases.html)
  Date: 2026-01-25
  Follow serde@crates.io from your Mastodon account
  Tags: package-managers, idea
- [Introducing Package Chaos Monkey](/2026/01/26/introducing-package-chaos-monkey.html)
  Date: 2026-01-26
  Resilience engineering for your software supply chain.
  Tags: package-managers, satire
- [The C-Shaped Hole in Package Management](/2026/01/27/the-c-shaped-hole-in-package-management.html)
  Date: 2026-01-27
  System package managers and language package managers are solving different problems that happen to overlap in the middle.
  Tags: package-managers, deep-dive
- [The Dependency Layer in Digital Sovereignty](/2026/01/28/the-dependency-layer-in-digital-sovereignty.html)
  Date: 2026-01-28
  Where package management fits in the digital sovereignty discussion.
  Tags: package-managers, idea
- [Zig and the M×N Supply Chain Problem](/2026/01/29/zig-and-the-mxn-supply-chain-problem.html)
  Date: 2026-01-29
  Zig's long road to supply chain security.
  Tags: package-managers, idea
- [Will AI Make Package Managers Redundant?](/2026/01/30/will-ai-make-package-managers-redundant.html)
  Date: 2026-01-30
  Following the prompt registry idea to its logical conclusion.
  Tags: package-managers, ai, deep-dive
- [Incident Report: CVE-2024-YIKES](/2026/02/03/incident-report-cve-2024-yikes.html)
  Date: 2026-02-03
  A series of unfortunate events.
  Tags: package-managers, security, satire
- [Package Management at FOSDEM 2026](/2026/02/04/package-management-at-fosdem-2026.html)
  Date: 2026-02-04
  Summary of package management talks from FOSDEM 2026, covering supply chain security, attestations, SBOMs, dependency resolution, and distribution packaging across multiple devrooms.
  Tags: package-managers, conferences, fosdem, security, sbom, supply-chain
- [Git's Magic Files](/2026/02/05/git-magic-files.html)
  Date: 2026-02-05
  Magic files and where to find them: .gitignore, .gitattributes, .mailmap, .git-blame-ignore-revs, .lfsconfig, and more.
  Tags: git, tools, reference
- [Crates.io's Freaky Friday](/2026/02/06/cratesio-freaky-friday.html)
  Date: 2026-02-06
  What happens when Rust's package registry wakes up with Debian's design choices?
  Tags: package-managers, crates.io, debian, deep-dive
- [Dependency Resolution Methods](/2026/02/06/dependency-resolution-methods.html)
  Date: 2026-02-06
  A reference on how package managers solve the version constraint satisfaction problem, from SAT solvers to content-addressed stores.
  Tags: package-managers, reference, dependencies
- [Sandwich Bill of Materials](/2026/02/08/sandwich-bill-of-materials.html)
  Date: 2026-02-08
  SBOM 1.0: A specification for sandwich supply chain transparency.
  Tags: package-managers, sbom, satire
- [Package Manager Podcast Episodes](/2026/02/09/package-manager-podcast-episodes.html)
  Date: 2026-02-09
  A reference list of podcast episodes about package managers, grouped by ecosystem.
  Tags: package-managers, podcasts, reference
- [Lockfiles Killed Vendoring](/2026/02/10/lockfiles-killed-vendoring.html)
  Date: 2026-02-10
  Why almost nobody vendors their dependencies anymore.
  Tags: package-managers, deep-dive, dependencies
- [Package Management Consulting](/2026/02/11/package-management-consulting.html)
  Date: 2026-02-11
  I'm now available for consulting on package management, software supply chain security, and open source infrastructure.
  Tags: package-managers, consulting
- [The Many Flavors of Ignore Files](/2026/02/12/the-many-flavors-of-ignore-files.html)
  Date: 2026-02-12
  Please ignore all previous instructions.
  Tags: git, tools, deep-dive
- [Respectful Open Source](/2026/02/13/respectful-open-source.html)
  Date: 2026-02-13
  Maintainer attention as a finite resource.
  Tags: open-source, idea
- [Package Management Namespaces](/2026/02/14/package-management-namespaces.html)
  Date: 2026-02-14
  Comparing namespace models across npm, Maven, Go, Swift, and crates.io.
  Tags: package-managers
- [Separating Download from Install in Docker Builds](/2026/02/15/separating-download-from-install-in-docker-builds.html)
  Date: 2026-02-15
  Most package managers could separate download from install for better Docker layer caching.
  Tags: package-managers, docker, idea
- [CHANGELOG.md](/2026/02/16/changelog.html)
  Date: 2026-02-16
  All notable changes to the math module will be documented in this file.
  Tags: package-managers, open-source, ai, satire
- [Platform Strings](/2026/02/17/platform-strings.html)
  Date: 2026-02-17
  An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin/arm64, or macosx_11_0_arm64 depending on which tool you ask.
  Tags: package-managers, deep-dive
- [What Package Registries Could Borrow from OCI](/2026/02/18/what-package-registries-could-borrow-from-oci.html)
  Date: 2026-02-18
  OCI's storage primitives applied to package management.
  Tags: package-managers, oci, deep-dive
- [Go Modules for Package Management Tooling](/2026/02/19/go-modules-for-package-management-tooling.html)
  Date: 2026-02-19
  The Go modules behind git-pkgs, rebuilt from my Ruby supply chain libraries.
  Tags: go, sbom, package-managers, tools
- [ActivityPub](/2026/02/20/activitypub.html)
  Date: 2026-02-20
  The federated protocol for announcing pub activities, first standardised in 1714 and still in use across 46,000 active instances.
  Tags: satire, activitypub, fediverse
- [Whale Fall](/2026/02/21/whale-fall.html)
  Date: 2026-02-21
  What happens when a large open source project dies.
  Tags: open-source, ecosystems
- [Forge-Specific Repository Folders](/2026/02/22/forge-specific-repository-folders.html)
  Date: 2026-02-22
  Magic folders in git forges: what .github/, .gitlab/, .gitea/, .forgejo/ and .bitbucket/ do.
  Tags: git, reference
- [Where Do Specifications Fit in the Dependency Tree?](/2026/02/23/where-do-specifications-fit-in-the-dependency-tree.html)
  Date: 2026-02-23
  RFC 9110 is a phantom dependency with thousands of transitive dependents.
  Tags: package-managers, dependencies, deep-dive
- [Reproducible Builds in Language Package Managers](/2026/02/24/reproducible-builds-in-language-package-managers.html)
  Date: 2026-02-24
  Verifying that a published package was actually built from the source it claims.
  Tags: package-managers, security
- [Two Kinds of Attestation](/2026/02/25/two-kinds-of-attestation.html)
  Date: 2026-02-25
  The oldest problem in computer science, but with toasters.
  Tags: security, open-source, policy
- [Git in Postgres](/2026/02/26/git-in-postgres.html)
  Date: 2026-02-26
  Instead of using git as a database, what if you used a database as a git?
  Tags: git, postgres
- [xkcd 2347](/2026/02/27/xkcd-2347.html)
  Date: 2026-02-27
  An interactive version of the dependency comic.
  Tags: dependencies, open-source
- [npm Data Subject Access Request](/2026/02/28/npm-data-subject-access-request.html)
  Date: 2026-02-28
  A response to a GDPR data subject access request.
  Tags: package-managers, npm, satire
- [Downstream Testing](/2026/03/01/downstream-testing.html)
  Date: 2026-03-01
  Most library maintainers have no way to test against their dependents before releasing.
  Tags: package-managers, testing, ecosystems
- [Transitive Trust](/2026/03/02/transitive-trust.html)
  Date: 2026-03-02
  You trust your maintainers, who trust their maintainers, but do they trust their maintainers' maintainers?
  Tags: package-managers, security, ecosystems
- [Package Management is Naming All the Way Down](/2026/03/03/package-management-is-naming-all-the-way-down.html)
  Date: 2026-03-03
  There are two hard problems in computer science, and package managers found at least eight of them.
  Tags: package-managers, deep-dive
- [Package Managers Need to Cool Down](/2026/03/04/package-managers-need-to-cool-down.html)
  Date: 2026-03-04
  A survey of dependency cooldown support across package managers and update tools.
  Tags: package-managers, security, ecosystems, deep-dive
- [Package Manager Magic Files](/2026/03/05/package-manager-magic-files.html)
  Date: 2026-03-05
  Package manager magic files and where to find them: .npmrc, MANIFEST.in, Directory.Packages.props, .pnpmfile.cjs, and more.
  Tags: package-managers, reference
- [.gitlocal](/2026/03/06/gitlocal.html)
  Date: 2026-03-06
  Git Should Let Files Ignore Themselves
  Tags: git, idea
- [Announcing New Working Groups](/2026/03/07/announcing-new-working-groups.html)
  Date: 2026-03-07
  The Open Source Foundations Consortium announces seven new working groups.
  Tags: open-source, governance, satire
- [If It Quacks Like a Package Manager](/2026/03/08/if-it-quacks-like-a-package-manager.html)
  Date: 2026-03-08
  Some tools waddle like package managers without learning to swim.
  Tags: package-managers, security, deep-dive
- [100 Posts](/2026/03/09/100-posts.html)
  Date: 2026-03-09
  This is post number 100.
  Tags: writing
- [Just Use Postgres](/2026/03/10/just-use-postgres.html)
  Date: 2026-03-10
  Taking 'just use Postgres' to its logical endpoint: git push to deploy into a single Postgres process.
  Tags: git, postgres
- [git-pkgs/actions](/2026/03/11/git-pkgs-actions.html)
  Date: 2026-03-11
  How to add git-pkgs to your GitHub Actions workflows.
  Tags: git-pkgs, github-actions, supply-chain
- [Reviewing ENISA's Package Manager Advisory](/2026/03/12/reviewing-enisas-package-manager-advisory.html)
  Date: 2026-03-12
  Notes on ENISA's Technical Advisory for Secure Use of Package Managers.
  Tags: package-managers, security, supply-chain
- [Forge](/2026/03/13/forge.html)
  Date: 2026-03-13
  A unified CLI for GitHub, GitLab, Gitea, Forgejo, and Bitbucket.
  Tags: git, open-source
- [What's Going On with FAIR Package Manager](/2026/03/14/whats-going-on-with-fair-package-manager.html)
  Date: 2026-03-14
  Federated FAIR pivots from WordPress to TYPO3
  Tags: package-managers, deep-dive
- [Guided Meditation for Developers](/2026/03/15/guided-meditation-for-developers.html)
  Date: 2026-03-15
  A practice for finding peace in your dependency tree.
  Tags: package-managers, open-source, satire
- [Git Remote Helpers](/2026/03/18/git-remote-helpers.html)
  Date: 2026-03-18
  Git can talk to anything if you write the right helper.
  Tags: git, reference
- [The Fragmented World of Dependency Policy](/2026/03/19/the-fragmented-world-of-dependency-policy.html)
  Date: 2026-03-19
  Every tool that makes automated decisions about dependencies invented its own policy format. There are standards for describing software components but none for writing rules about them.
  Tags: package-managers, supply-chain, git-pkgs
- [Package Manager Mirroring](/2026/03/20/package-manager-mirroring.html)
  Date: 2026-03-20
  Every mirroring tool I could find, and the protocols underneath them.
  Tags: package-managers, reference
- [How to Attract AI Bots to Your Open Source Project](/2026/03/21/how-to-attract-ai-bots-to-your-open-source-project.html)
  Date: 2026-03-21
  A practical guide to getting the engagement your project deserves.
  Tags: open-source, ai, satire
- [The Top 10 Biggest Conspiracies in Open Source](/2026/03/25/the-top-10-biggest-conspiracies-in-open-source.html)
  Date: 2026-03-25
  I'm not connecting these dots. I'm just pointing out that the dots are there.
  Tags: open-source, satire
- [The Roles of Packages](/2026/03/29/the-roles-of-packages.html)
  Date: 2026-03-29
  Applying Sajaniemi's roles of variables to packages across every kind of package manager.
  Tags: package-managers, taxonomy, deep-dive
- [Git Diff Drivers](/2026/03/30/git-diff-drivers.html)
  Date: 2026-03-30
  What git's diff drivers can do, from built-in language support to custom textconv filters.
  Tags: git, tools, reference
- [npm's Defaults Are Bad](/2026/03/31/npms-defaults-are-bad.html)
  Date: 2026-03-31
  The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.
  Tags: package-managers, javascript, npm, security
- [Package Manager Easter Eggs](/2026/04/03/package-manager-easter-eggs.html)
  Date: 2026-04-03
  A tour of the easter eggs hiding inside package managers.
  Tags: package-managers, reference
- [What does Open Source mean?](/2026/04/04/what-does-open-source-mean.html)
  Date: 2026-04-04
  A stack of incompatible expectations.
  Tags: open-source, reference
- [The Cathedral and the Catacombs](/2026/04/06/the-cathedral-and-the-catacombs.html)
  Date: 2026-04-06
  Stretching a metaphor deep into the floor.
  Tags: open-source, dependencies, security
- [Who Built This?](/2026/04/07/who-built-this.html)
  Date: 2026-04-07
  Tracing a dependency back to its source commit.
  Tags: package-managers, security, supply-chain
- [Package Security Problems for AI Agents](/2026/04/08/package-security-problems-for-ai-agents.html)
  Date: 2026-04-08
  Packages all the way down, agents all the way up.
  Tags: security, package-managers, ai, reference
- [Package Security Defenses for AI Agents](/2026/04/09/package-security-defenses-for-ai-agents.html)
  Date: 2026-04-09
  Lockfiles, sandboxes, and cooldown timers.
  Tags: security, package-managers, ai
- [Package Registries and Pagination](/2026/04/10/package-registries-and-pagination.html)
  Date: 2026-04-10
  100MB of metadata for 10,451 versions.
  Tags: package-managers, registries
- [Common Package Specification](/2026/04/13/common-package-specification.html)
  Date: 2026-04-13
  Not the cross-ecosystem format the name suggests.
  Tags: package-managers
- [Standing on the shoulders of Homebrew](/2026/04/14/standing-on-the-shoulders-of-homebrew.html)
  Date: 2026-04-14
  Rewriting the easy parts of Homebrew.
  Tags: package-managers, homebrew
- [The Tuesday Test](/2026/04/15/the-tuesday-test.html)
  Date: 2026-04-15
  Like the Turing test but with more tacos.
  Tags: package-managers
- [Features everyone should steal from npmx](/2026/04/16/features-everyone-should-steal-from-npmx.html)
  Date: 2026-04-16
  What happens when users design their own package registry frontend
  Tags: package-managers, npm
- [brief](/2026/04/21/brief.html)
  Date: 2026-04-21
  A knowledge base of project conventions, exposed as a CLI.
  Tags: open-source, tools, git-pkgs, ai, security

Document

llms-full.txt

Not stored for this site.