What have I been writing when I haven’t been writing here?
Duck Alignment Academy
- Public mistakes are a feature of open source — Everyone who is good at something has a trail of [mistakes] in their wake. Open source means sharing the learning experience with others.
- The easy fixes probably aren’t in your code — Mature projects don’t have many easy fixes left in the code. But test coverage, documentation, websites, and other areas probably have plenty.
- Membership needs a removal process — People need to be removed for a variety of reasons, and having planned ahead makes the process much easier.
- Tasks and projects: what’s the difference — It’s not always clear how to distinguish between tasks and projects. My rule of thumb: tasks have binary state, projects have several states.
Kusari
- Counting CVEs was never enough — CVE IDs don’t tell you much, but somehow we started using them as a proxy for security.
- Kusari signs the Secure By Design Pledge (ghost write) — The Secure By Design Pledge is a great starting point, but it can’t be the end.
- Meeting federal software supply chain mandates (ghost write) — If you’re providing software to the US federal government, you need to start making attestations about your security posture soon.
- To fork or not to fork — How you handle your dependencies will change how you secure your software supply chain