Book review: Guiding Star OKRs

Posted on April 21, 2025 by Ben Cotton

Setting, tracking, and reporting OKRs is terrible. But what if it wasn’t? In Guiding Star OKRs: A New Approach to Setting and Achieving Goals, Staffan Nöteberg lays out a framework that focuses on heading in the right direction instead of trying to meet exact targets. Unlike the OKRs you may have experienced, Guiding Star OKRs are focused on getting the right results, not the pre-determined results.

In a previous role, management was big into setting cascading OKRs (which Nöteberg says not to do). My objectives were my manager’s key results. My manager’s objectives were my VP’s key results, and so on. The end result was that there was no reward for helping colleagues meet their individual OKR targets. Instead of working together, we all worked individually in the hope that it ended up achieving the company’s broader goals. Spoiler alert: it did not.

I went into reading Guiding Star OKRs expecting to shake my head at a slight variation on a broken system. Instead, I came away enthusiastic about Nöteberg’s approach. Finally, OKRs that are meaningful!

The concept of setting and attracting objectives and key results (OKRs) really took off a Google. As anyone in the sysadmin/DevOps space in the early 2010s can tell you, a lot of organizations copied Google without considering if they need to.

This book is full of practical advice and examples to help the reader adopt the framework to their organization’s specific needs. For example: “never engage in setting objectives or key results when tasks are already determined.”

Guiding Star OKRs is a must-read for leaders who want to achieve results in a sustainable way. It’s now available in print and digital formats from The Pragmatic Bookshelf.

Full disclosure: I provided the publisher with a praise quote for this book and received a complimentary copy as a result. I received no compensation for this review.

Book review: Business Success with Open Source

Posted on April 15, 2025 by Ben Cotton

Open source is big business, whether you mean companies producing open source software or using it to build their products. But too many companies don’t take an intentional approach to how they consume and create open source. There’s no excuse for that now that VM Brasseur’s new book, Business Success with Open Source: Strengthen Your Business with Free and Open Source Software, is published.

At 470 pages, this is no light treatment of the topic. Brasseur digs deep into the intersection of business and open source software with insights from her years of experience. Readers who are already deep in the open source world may find the early chapters unnecessary, but Brasseur ensures that no one gets left behind.

If you’re in a leadership role in your company and have anything to do with open source at all, you need to read this book. It’s now available in print and digital formats from The Pragmatic Bookshelf.

Full disclosure: VM Brasseur is a close personal friend. In addition, I was a technical reviewer for this book and received a complimentary copy for my work. I received no compensation for this review.

Other writing: March 2025

Posted on April 4, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Kusari

Raising the Bar for Open Source Security: Introducing the OSPS Baseline — Kusari is proud to contribute to the Open Source Project Security Baseline, an OpenSSF project to help open source maintainers improve their security posture.
Unpacking Kusari Platform Views (ghostwrite) — Kusari Platform gives you the information you need to secure your software supply chain.
Starting the security journey: producing an SBOM (ghostwrite) — A hypothetical organization takes the first step on their software supply chain security journey by creating an SBOM for their application.
The next step in the security journey: comparing SBOMs (ghostwrite) — Once you have multiple releases, you have multiple SBOMs. What can you learn from comparing them?
Another step on the security journey: a constellation of SBOMs (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
- The last step on the security journey: Kusari Platform (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
- Securing your AI Models (ghostwrite) — The abilities of generative and agentic AI models require a proactive approach to protecting the AI supply chain.

Duck Alignment Academy

Rules and policies are necessary to define good behavior — Think of it this way: having rules and policies for behavior in your community is like documenting the community’s API.
Helping your project survive the loss of core contributors — Only 27% of projects that lose their core developers survive, but you can take steps to give your project its best chance.
Facilitating decisions is more important than making them — You cannot decide on behalf of the community. Facilitating decisions is how you build a community that wants to stick around.

GUAC

Highways routed around towns

Posted on March 28, 2025 by Ben Cotton

“Don’t you think,” one of George Minafer’s unnamed compatriots asks in The Magnificent Ambersons, “that being things is rather better than doing things?” Minafer and his crowd are not the most sympathetic characters, and I don’t think Booth Tarkington intended them to be (although Minafer could arguably be considered an exaggerated avatar of his creator in certain respects), but I think there’s something to this quote.

I thought about it on a recent drive to Fort Wayne, where the Hoosier Heartland Highway in all its four-lane divided highway splendor curves around several small towns. Americans, it seems, would rather get to places than go to places. By this, I mean the journey is something to make as short as possible, not a part of the experience.

I’m no highway engineer, but every time I’ve driven the Hoosier Heartland Highway, the traffic has been almost non-existent. There seems to be very little reason for the “upgrade”, other than to let people drive faster. And as a result, there are towns that people no longer drive through. This might be good for the driver, but it seems less good for the businesses in the towns, and perhaps for us as a society.

When I drive through small towns, I sometimes wonder how much longer they have. The population of Americus, through which Indiana 25 no longer passes, has fallen from 630 in 2012 when the Hoosier Heartland Highway opened to 57 in 2023. Some of this is part of a general trend, to be sure, but not all of it.

Are we really in such a hurry that we’re willing to give up unique places in exchange for the sameness of limited-access highways with the same fast food places at every exit? Probably. I’m guilty of it myself. But there’s a lot we’re missing out on that we might not get back when it’s gone. We could do with spending more time being and less time doing.

Baseball and me in 2025

Posted on March 24, 2025 by Ben Cotton

Once again borrowing from Chris O’Donnell, I thought I’d write about my relationship to baseball in 2025.

Like many American boys, I grew up playing Little League baseball. I loved the game, even though I was decidedly bad at it. When I got to the age where I’d be on the more competitive traveling teams, I retired. Instead, I helped out as an assistant coach and scorekeeper for my younger sisters’ softball teams.

My family would go to a couple of AAA games in Louisville most years and I’d watch the All Star Game and World Series on TV usually, but that was about it. I was decidedly a casual fan. It didn’t help that “my” team was 600 miles away, which means 1. we definitely were not going to see a home game and 2. they weren’t on TV basically ever.

Reader, have I ever told you the story of how I became an Orioles fan? Again, like many American boys, I collected baseball cards. Like boys who only had sisters, I often wished I had a brother. So when I ended up with baseball cards for brothers Cal, Jr. and Bill Ripken and they played for the same team I was enthralled. Not long after that, Cal, Jr. broke Lou Gehrig’s consecutive game stream, and I was hooked for life.

So given that the Orioles have been really good the last few years and that I can easily watch most of their games online, you might think I’d be a more engaged fan. Well…I’m not.

Baseball invites a casualness that I don’t get from most other sports. The slowness of the game itself that some complain about is a feature to me. You can sit back, have a conversation, drink a beer or two, and just let the world go by for a bit. And MLB plays 162 games a year, so it’s okay if you miss one or ten.

I’ve tried playing in fantasy baseball leagues, but I just don’t get into it enough to do well. And my life is busy enough that watching more than the occasional game on TV is difficult. So as the 2025 baseball season starts, I’ll mostly catch up on the Orioles via the blogs I read and maybe I’ll sneak in a game here and there. I’ll keep going to the Lafayette Aviators games because they’re cheap and local. Baseball, like most sports, is better experienced in person.

DevOpsDays Chicago 2025 recap

Posted on March 21, 2025 by Ben Cotton

On Tuesday, I drove up to Chicago for the DevOpsDays event there. I’d never been to one, but they gave me a nice discount after rejecting my talk proposal, and it’s only a few hours, so I decided “why not?” I’m not really in the DevOps space anymore (to the degree I ever was), so I was a little worried that I wouldn’t be able to keep up. But the good news is that I was!

The DevOpsDays Chicago yak and its handler.

First, though, I want to tell you about a little DevOops I had. The bathrooms in the venue are fancy. They have bottles of mouthwash and little disposable cups for people who want to have minty fresh breath. I only discovered this after I washed my hands. I reflexively reached for the bottle on the counter and scrubbed dutifully. Then I realized my hands were minty fresh. I was sure to use the soap the rest of the day.

The morning had several good talks. Reid Savage gave a talk called “anti-devops.” They included such concepts as “transparency is bad,” “silos are good,” and “stop shipping iteratively.” While that might sound contrarian, it was not. Reid’s point was more of “you can have too much of a good thing.” They were the source of my favorite notes:

Transparency without clarity is bad. “I really need to pee” is providing transparency. “Do you see a bathroom nearby?” is providing clarity.

Paul Czarkowski gave a talk about running private AI on home infrastructure. He was mostly able to do live demos, which is always a risky proposition. He also said something that I want to tattoo on a lot of people’s foreheads: “Anytime you ask an AI a question, you need to be able to think critically about the response.”

The final full-length talk of the morning came from Annie Hedgpeth. Her talk explained professional networking with an analogy to systems networking. Like her, I’ve found that the relationships are more important to my career than the technical problems I’ve solved. As she said, “Like disaster recovery, professional relationships are an ongoing practice, not an emergency response.”

Just before the lunch break, there was a series of ignite talks. These are short talks with auto-advancing slides. I have a lot of speaking experience, but the thought of doing an ignite talk gives me a sense of dread. I have a ton of respect for anyone willing to get on stage and deliver a talk of any quality, but these were all good. I bought a copy of Robert Snyder’s Innovation Portfolio because I was intrigued by his “five verbs” concept. Expect a Duck Alignment Academy post on that someday.

After lunch, we had open sessions. I proposed one on supply chain security that I called “the next log4shell happened and I do or do not know what to do next.” I also attended one on reusable workflows (do they make us dumber?) and one on communicating with executives. All three had great conversations.

On top of all of the great professional content, I was also able to spend a few minutes catching up with a couple of folks I haven’t seen since the Before Times. It was great to see Jamie and Matty again. Hopefully it won’t be half a decade until the next time.

This was the 10th DevOpsDays Chicago, and I’m looking forward to the 11th. Now that I have a better sense for the vibe, I’m motivated to tweak my proposal and give a future event a try. Perhaps Des Moines or Detroit later this year?

“The Dress” and shared reality

Posted on March 17, 2025 by Ben Cotton

For the better part of the last decade (and perhaps longer), we’ve struggled with the fact that not everyone is living in the same reality. Political polarization is, in my view, less about reasoned differences in policy preferences and more about the fact that we’re not working from the same set of facts. Nothing I can say will convince someone who believes that a secret cabal is trafficking children in the basement of a pizza restaurant. Or more banally, that Joe Biden shut down the country at the beginning of the COVID-19 pandemic.

We recently passed the 10th anniversary of “The Dress,” which some say is the start of all of this.

The day of The Dress, I was interviewing for a job. I wasn’t allowed to have my phone at the facility, so I was offline most of the day. When I got to the airport, I had a chance to catch up on work and also the Internet. I’ll admit that I was a lot more interested in the llamas running loose in Arizona than some photo of a white and gold (don’t @ me) dress.

“The Dress” was definitely a shared experience for those of us terminally online in 2015. Whether it’s the event that tore us apart or not is harder to say. It does seem to mark a turning point, but the same could be said for the deaths of David Bowie and Harambe in 2016.

Instead of a beginning, The Dress might be an end. I see it as the end of shared experiences. With so many entertainment options, we don’t have things like the final episode of “M*A*S*H” or “Seinfeld” to have a shared experience. And maybe that’s part of the reason we don’t have a shared reality.

Other writing: February 2024

Posted on March 7, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

Open source projects don’t exist separately from the outside world — You do your community a disservice when you treat open source as a noble pursuit that’s separate from the noise of daily life.
Prioritizing your tasks with the Eisenhower Matrix — The Eisenhower Matrix is a simple framework for prioritizing your tasks by determining a task’s importance and urgency.
Improvement requires context — If you swoop in uninformed, you might make some correct decisions, but you’ll probably make more wrong ones. (I’m looking at you, Elon.)
Every project is a software project — It’s a good reminder that our audience is broader than we might think and we should act accordingly.

Kusari

Alarms Raised by Critical Reverse Backdoor Vulnerability in Medical Devices (ghostwrite) —Medical monitors have critical security flaws, allowing unauthorized code execution and patient data leaks.
Unpacking the Kusari Score (ghostwrite) — Cut through the noise to prioritize which vulnerability gets fixed next.
Unpacking the Kusari “Effort to Fix” Capability (ghostwrite) — Get a clear understanding of the work involved in remediating a vulnerability so you can schedule it in your sprint without blocking feature work.
Analyzing third-party risk in open source software — Third-party risk management is an important part of protecting your organization. But how do you manage the risks of open source software when you have no vendor relationship?
Addressing third-party risk in open source software — Once you’ve discovered the third-party risks in the open source projects you consume, how do you address those risks without having a vendor relationship with the projects?

GUAC

I finally cancelled my Washington Post subscription

Posted on March 3, 2025 by Ben Cotton

Last week, I cancelled my subscription to the Washington Post after its owner made clear that he is going to influence the editorial direction. The news side, they say, remains un-influenced. Even if that’s true, my money is somewhat indistinguishable. I can’t say “I’m subscribing to support the journalists only.” If Jeff Bezos wants to talk free market, I will be a free market actor. I still pay for great journalism from Marketplace, NPR, WIRED, The New Yorker, Ars Technica, and my local “retired” reporter/columnist. Plus the okayish journalism from two local papers squeezed to near-death by Gannett. The billionaire can do without my $120/year.

At the risk of turning Blog Fiasco into “Ben’s Collection of Open Letters”, I wrote this to WaPo’s support when I cancelled:

Since the “other” option in the subscription cancellation workflow doesn’t provide a text field, I thought I should take a moment to let you know why. I am an ardent believer that journalism is worth paying for. I am not an ardent believer in oligarchy. If Mr. Bezos chooses to put his thumb on the scale of the Post’s opinion page, then he doesn’t need help from my money. Jeff Bezos could fund the Post’s operational losses for the next century and only lose less than 5% of his net worth. I considered cancelling my subscription after the Post did not make an endorsement in the presidential election, as many others did. Ultimately, I chose not to because I understand that the reporters and editors doing the daily work don’t control what the executives do. But I can no longer contribute to this in good conscience. Democracy may die in darkness, but oligarchy blows out the candles.

Shortly thereafter, I got a canned reply:

For 138 years, The Washington Post has committed its pages to covering and holding power to account. Our Newsroom remains dedicated to independent reporting and fact-based journalism. Our Opinion pages will now focus on the pillars of free markets and personal liberties, two underserved viewpoints in the current market of ideas and news opinion. We look forward to continuing to be a publication for all of America.

Bullshit. Blink if you need help, customer support rep.

A letter to Purdue’s president

Posted on February 28, 2025 by Ben Cotton

I sent the following email to Mung Chiang, the president of Purdue University, last Wednesday. As of publication, I have not received a reply from his office.

President Chiang,

I write to you as a two-time Purdue alumnus, former staff member, and Lafayette resident. Like many, I am concerned about the abrupt cuts in federal funding and the state and federal attacks on diversity, equity, and inclusion. This not only affects an institution that I hold dear, but it harms the long-term future of society at large.

To that end, I am disappointed that Purdue has not taken a more vocal position. I understand and respect the desire to stay out of politics. But I am not asking the University to weigh in on what the top marginal tax rate should be. Purdue only stands to lose if the federal government continues to renege on commitments to funding. How can the Purdue One Health Initiative hope to be successful in an environment where science is ignored in favor of political loyalties and the NIH is being slashed?

How can Purdue continue to attract the best for its faculty, staff, and students when any effort to reach out to and support under-indexed people is forbidden? Research shows that diverse teams produce better results, so DEI programs are materially beneficial as well as ethically right.

I appreciate that what I am asking will draw unwanted attack, but it’s in the best long-term interests of the university to take a stand. As we remind ourselves in the opening line of “Hail Purdue!”: to your call one more we rally.

Yours,

Benjamin Cotton
BS 2006
MS 2014