What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Giving contribution gifts: the risks and rewards — Giving contribution gifts can be a great way to reward people for the work they do in your project, but it comes with challenges.
• curl’s zero issues — The curl project briefly achieved zero open issues. If you want that for your project, there are a few simple things to do.

Kusari

• Breaking the “Department of No” – Ship Fast, but also Secure — Security shouldn’t slow you down. Kusari and Cloudsmith enable faster, safer releases by turning noisy CVE scans into actionable insight and enforcing policy from build to deploy. Go fast and secure.

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Who should enforce the code of conduct? — There are valid reasons to involve outside experts in code of conduct enforcement, but it’s ultimately a leadership responsibility.
• Duplicate bug reports and how to handle them — Duplicate bug reports waste time for everyone involved. You can reduce them by understanding the complicated dynamics.
• Who is a “member” of your project? — We often use the words “contributor” and “member” interchangeably in open source projects, but there are subtle differences between the two.

Kusari

• Celebrating OpenSSF’s Anniversary — Kusari celebrates the past, present, and future of the Open Source Security Foundation.
• Using Kusari Platform to Manage your Open Source Dependencies (ghostwrite) — Companies need to pay attention to the security of their open source dependencies. Kusari Platform can help.

DEVOPSdigest

• What America’s AI Action Plan means for you today — The recent directive from the White House is light on details, but you can start heading in the right direction to be ready when the details arrive.

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Using AI moderation tools — Use AI moderation tools to help human moderators, not to act on their own. Don’t take the humanity out of your community management.
• You can only expect the help you ask for — People won’t know you need help unless you ask for it. Be specific about what you need and be prepare to help the helpers.

Kusari

• Supply chain security for gitops — Software supply chain security doesn’t stop at the application layer. Kusari Inspector can help secure your infrastructure-as-code, too. 
• Addressing the challenges of cloud-native application security — Kusari’s software supply chain expertise gives you the ability to overcome the challenges in securing your cloud-native applications.

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• The right tool is the one people can use — If a tool is a means to an end (and it is!), then the right tool is the one that gets the job done. Even if it wasn’t intended for that purpose.
• Your only obligations are the promises you make — A recent policy change in libxml2 highlights the fact that project maintainers don’t have to do something just because it’s a good idea.

OpenSSF

• GUAC 1.0 is Now Available — After three years and contributions from 400+ people across 90 organizations, GUAC has reached 1.0!

GUAC

• GUAC update: May 2025

What have I been writing when I haven’t been writing here?

Kusari

• Securing the Software Supply Chain book now available! — This new book from Michael Liberman and Brandon Lum (edited by yours truly!) guides you from the basics of supply chain security through to being a security expert.
• The future of CVEs — Recent funding concerns have highlighted the need for a more resilient system of vulnerability identification.

GUAC

• GUAC Update: March 2025

What have I been writing when I haven’t been writing here?

Kusari

• Raising the Bar for Open Source Security: Introducing the OSPS Baseline — Kusari is proud to contribute to the Open Source Project Security Baseline, an OpenSSF project to help open source maintainers improve their security posture.
• Unpacking Kusari Platform Views (ghostwrite) — Kusari Platform gives you the information you need to secure your software supply chain.
• Starting the security journey: producing an SBOM (ghostwrite) — A hypothetical organization takes the first step on their software supply chain security journey by creating an SBOM for their application.
• The next step in the security journey: comparing SBOMs (ghostwrite) — Once you have multiple releases, you have multiple SBOMs. What can you learn from comparing them?
• Another step on the security journey: a constellation of SBOMs (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
  • The last step on the security journey: Kusari Platform (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
  • Securing your AI Models (ghostwrite) — The abilities of generative and agentic AI models require a proactive approach to protecting the AI supply chain.

Duck Alignment Academy

• Rules and policies are necessary to define good behavior — Think of it this way: having rules and policies for behavior in your community is like documenting the community’s API.
• Helping your project survive the loss of core contributors — Only 27% of projects that lose their core developers survive, but you can take steps to give your project its best chance.
• Facilitating decisions is more important than making them — You cannot decide on behalf of the community. Facilitating decisions is how you build a community that wants to stick around.

GUAC

• GUAC Update: February 2025
• March 2025 Community Meeting

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Reviewing open source trends in 2024 — How well did I capture trends in open source for 2024? I think I nailed it.
• The “O” in “FOSS” doesn’t stand for “obligation” — We need to motivate the behavior we want to see instead of being upset when it doesn’t happen.
• Prioritizing work in the project with the MoSCoW method — The MoSCoW method is a simple, easy-to-use method for prioritizing work by putting into one of four categories.
• CalVer is many schemes — You need to clearly indicate how you identify your releases. Simply saying “CalVer” does not set clear expectations for your users.

GUAC

• GUAC Update: December 2024
• January 2025 Community Meeting
• GUAC v0.13.0 released
• GUAC’s 2024 in review — 2024 was a big year for GUAC: from joining the OpenSSF to three keynote mentions at KubeCon NA, with a ton of releases and community growth in between.

Kusari

• Stick a Pin in It: Managing Dependencies for Supply Chain Security — Managing software dependencies is an important part of software supply chain security. Here are three approaches you can take to pin your dependencies to known-good versions.

TL;DR: You can now follow @funnelfiasco.bsky.social on Bluesky.

This morning, the admins of Hachyderm defederated from Threads. This was a result of recent changes that Threads parent Meta made to moderation policies. It’s now totally cool with Mark Zuckerberg if you say someone’s gender or sexual identity, for example, is a mental illness. The Hachyderm admins rightfully said “fuck that noise” and, since protecting Hachyderm users from this garbage would greatly increase the moderation load, they took the only other option available: defederation.

I understand and support this decision, but it put me in kind of a bind. My social network on Mastodon is way smaller than what it had been on Twitter. This isn’t just ego starvation, but it means that people I enjoyed interacting with are beyond my reach. Some of them started using Threads, but now I’m cut off from them again. Bluesky seems to have really caught on with both my tech- and normal-people circles lately, so I’ve finally gotten around to creating an account there: @funnelfiasco.bsky.social.

I’ve started following some people haphazardly, mostly from people I have seen post elsewhere about being on Bluesky and also the people followed by I’ve started following. So the list is still small, but hopefully I’ll be able to build it up quickly. I don’t know yet how I’ll route my posts to either Mastodon or Bluesky. I’m opposed to the idea of crossposting all the things, so I won’t do that. I’ll probably settle into some kind of pattern eventually. I have time to figure this out.

On a related note, I’m trying to reduce my use of Meta properties in general, although the network effect will probably keep me on Facebook for a long time. But in order to promote the web I want to see, I’m going to try to start writing here more. Wish me luck!