What have I been writing when I haven’t been writing here?

Kusari

• Raising the Bar for Open Source Security: Introducing the OSPS Baseline — Kusari is proud to contribute to the Open Source Project Security Baseline, an OpenSSF project to help open source maintainers improve their security posture.
• Unpacking Kusari Platform Views (ghostwrite) — Kusari Platform gives you the information you need to secure your software supply chain.
• Starting the security journey: producing an SBOM (ghostwrite) — A hypothetical organization takes the first step on their software supply chain security journey by creating an SBOM for their application.
• The next step in the security journey: comparing SBOMs (ghostwrite) — Once you have multiple releases, you have multiple SBOMs. What can you learn from comparing them?
• Another step on the security journey: a constellation of SBOMs (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
  • The last step on the security journey: Kusari Platform (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
  • Securing your AI Models (ghostwrite) — The abilities of generative and agentic AI models require a proactive approach to protecting the AI supply chain.

Duck Alignment Academy

• Rules and policies are necessary to define good behavior — Think of it this way: having rules and policies for behavior in your community is like documenting the community’s API.
• Helping your project survive the loss of core contributors — Only 27% of projects that lose their core developers survive, but you can take steps to give your project its best chance.
• Facilitating decisions is more important than making them — You cannot decide on behalf of the community. Facilitating decisions is how you build a community that wants to stick around.

GUAC

• GUAC Update: February 2025
• March 2025 Community Meeting

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Reviewing open source trends in 2024 — How well did I capture trends in open source for 2024? I think I nailed it.
• The “O” in “FOSS” doesn’t stand for “obligation” — We need to motivate the behavior we want to see instead of being upset when it doesn’t happen.
• Prioritizing work in the project with the MoSCoW method — The MoSCoW method is a simple, easy-to-use method for prioritizing work by putting into one of four categories.
• CalVer is many schemes — You need to clearly indicate how you identify your releases. Simply saying “CalVer” does not set clear expectations for your users.

GUAC

• GUAC Update: December 2024
• January 2025 Community Meeting
• GUAC v0.13.0 released
• GUAC’s 2024 in review — 2024 was a big year for GUAC: from joining the OpenSSF to three keynote mentions at KubeCon NA, with a ton of releases and community growth in between.

Kusari

• Stick a Pin in It: Managing Dependencies for Supply Chain Security — Managing software dependencies is an important part of software supply chain security. Here are three approaches you can take to pin your dependencies to known-good versions.

TL;DR: You can now follow @funnelfiasco.bsky.social on Bluesky.

This morning, the admins of Hachyderm defederated from Threads. This was a result of recent changes that Threads parent Meta made to moderation policies. It’s now totally cool with Mark Zuckerberg if you say someone’s gender or sexual identity, for example, is a mental illness. The Hachyderm admins rightfully said “fuck that noise” and, since protecting Hachyderm users from this garbage would greatly increase the moderation load, they took the only other option available: defederation.

I understand and support this decision, but it put me in kind of a bind. My social network on Mastodon is way smaller than what it had been on Twitter. This isn’t just ego starvation, but it means that people I enjoyed interacting with are beyond my reach. Some of them started using Threads, but now I’m cut off from them again. Bluesky seems to have really caught on with both my tech- and normal-people circles lately, so I’ve finally gotten around to creating an account there: @funnelfiasco.bsky.social.

I’ve started following some people haphazardly, mostly from people I have seen post elsewhere about being on Bluesky and also the people followed by I’ve started following. So the list is still small, but hopefully I’ll be able to build it up quickly. I don’t know yet how I’ll route my posts to either Mastodon or Bluesky. I’m opposed to the idea of crossposting all the things, so I won’t do that. I’ll probably settle into some kind of pattern eventually. I have time to figure this out.

On a related note, I’m trying to reduce my use of Meta properties in general, although the network effect will probably keep me on Facebook for a long time. But in order to promote the web I want to see, I’m going to try to start writing here more. Wish me luck!

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• The best way to make a decision is to decide — In most cases, a good decision made quickly is better than a great decision made slowly.
• The real problem with EOL software — The problem with end-of-life software isn’t the lack of vulnerability and bug fixes. It’s knowing when software is truly end-of-life.
• Moderation queues need context — Many tools lack a good way for moderators to indicate “this message is still in the queue on purpose.”

DevOps Digest

• Can we move forward with the Open Source AI Definition? — The OSAID is imperfect, but is it good enough? We’ll have to wait and see.

Kusari

• The Best Way to Secure Your Open Source Supply Chain is to Participate — Open source software powers 75-90% of modern applications, but it comes with challenges. Companies can secure their supply chains by actively participating in the open source projects they rely on.
• Rust Won’t Fix Everything: Moving Toward a Memory-Safe Future — Rust offers powerful tools for addressing memory safety issues, but rewriting all C and C++ applications in Rust isn’t feasible due to the sheer volume of legacy code and the challenges of reimplementation.
• Threat Modeling in the Software Development Life Cycle (ghostwrite) — What are you defending against? From upstream dependencies to code repositories, threat modeling ensures you’re prepared to mitigate risks, reduce vulnerabilities, and avoid costly compromises.

GUAC

• guac-visualizer 0.4.10 released
• GUAC Update: December 2024
• guac v0.12.0 released

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Communities aren’t an accidental collection of strangers with a common interest — Community implies a degree of commitment to stick around, and the bonds of friendship can make the project a more enjoyable place to be.
• ccTLDs are bad for your project — Using a ccTLD puts your project’s infrastructure at the whims of geopolitics. There are plenty of other TLDs to choose from.
• Innovation Happens Elsewhere: now in portable form — I’ve republished Innovation Happens Elsewhere in epub and PDF forms.

GUAC

• GUAC update: 2024-11-01

What have I been writing when I haven’t been writing here?

Security Boulevard

• Why NTIA Support of Open-Source AI is Good for Security (co-author) — Security by obscurity doesn’t work, so trying to keep AI from being used for bad purposes by hiding it won’t work, either.

Duck Alignment Academy

• The future of first-party open source events — The way first-party open source events are typically setup does not fit the world in 2024. A new approach splits talks, social, & workshops.
• It’s okay to not do things — Just because you had the idea to do something, that doesn’t mean you’re obligated to do it. Some tasks can be skipped or delayed.
• Code style guides are for cooperation, not preferences — If you’re leading a project, document your style. If you’re joining a project, set your style preferences aside.

GUAC

• GUAC at Open Source Summit Europe (ghost write) — Go see Mike. Get stickers!
• GUAC use cases beyond security on CNCF Live
• September 2024 community meeting
• GUAC v0.8.4 released
• GUAC v0.8.6 released
• GUAC v0.8.7 released
• guac-visualizer 0.4.5 released
• GUAC in Hacktoberfest 2024 — Help make GUAC better and also work toward Hacktoberfest completion!
• Finding Hacktoberfest projects with GUAC — Use GUAC to find Hacktoberfest projects you should contribute to.

Kusari

• Protect Your Codebase: The Importance of Provenance (ghost write) — The security of your software is directly impacted by the dependencies you choose. How do you verify and protect those dependencies?

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• “Helping” versus being helpful — Every situation is different, so ask “would it be helpful if I _?” When you get agreement on your help, your work will be helpful.
• Volunteers can’t be blockers — Figure out the truly critical processes and accept that non-critical ones may get missed. Give critical processes to paid contributors.
• Companies: make sustainable contributions — We learned over the past year or two that corporate participation in an open source project is not guaranteed. The contributions a company makes need to be sustainable long after the company stops participating.
• Strategic use of bikeshedding — Painting a bike shed can be an excellent icebreaker when getting a group to review a document draft.

GUAC

• Mixing license information into your GUAC – GUAC v0.8.0 adds support for querying license data from ClearlyDefined.
• Help GUAC’s docs rock — The GUAC project needs documentation help. We’d love to have your contributions!
• August 2024 Community Meeting
• New schedule for GUAC Time office hours
• GUAC v0.8.1 released
• GUAC v0.8.2 released

Kusari

• Hack-Proof Artificial Intelligence Supply Chains Using Open Source Security (ghost write) — Practical ways to protect against AI software attacks
• Understanding prevalence is the first step — The federal government’s $11 million investment is a good start to understanding the impact of open source software.

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• “Finished” and “no longer developed” aren’t the same — Software is finished when it reliably does what it’s intended to.
• Your project is political, people’s identities aren’t — No project that involves people is “purely technical.” And “ideologically motivated” is not a synonym for “bad”.
• A veneer of organization — Building up too much process early is a way to look busy without accomplishing anything. You have to fit it to the community’s need.
• When to add QA to your project — Add QA when someone volunteers to do it. Recruit QA when your user-reported bugs start to overwhelm your developers.

Kusari

• Achieving Wisdom with GUAC Visualizer — It’s not enough to just have the data, you need to be able to see it.
• Why Software Cannot Be Secured by SBOMs Alone (ghostwrite) — Actionable insights come from SBOMs plus additional information.

GUAC

• GUAC v0.8.0 released — The new release includes support for licenses, node deletion, and more!