What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• You’d better start believing in supply chains because you’re in one — This talk started as a silly joke, but it covers a serious and timely topic.
• A trust paradox — If automated CI tests are both a way to measure trust and a vector for attack, what’s the responsible maintainer to do?

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• New metrics resource page and updated AI resources page — I made the website a little more useful.
• Sometimes saying less is more — If you can cut a word or phrase without losing clarity, do it.
• What does it mean to be welcoming? — The whole point of adding community members is to change the community in some beneficial way. Being welcoming takes active, ongoing effort.
• Trust in open source communities — Open source communities run on trust. But what does “trust” mean, how do you measure it, and what do you do with it?

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Open source trends in 2026 — I peer into my crystal ball to see what 2026 will hold.
• GitHub Discussions versus Discourse — The GitHub Discussions versus Discourse comparison isn’t about which is better — both are good. But which is better for your specific project?
• Measuring contributor affiliations is complicated — Determining a contributor’s affiliation is not as easy as it seems. It’s not always clear if a contribution is part of someone’s job.
• Use your labels — A label that you don’t use complicates the experience. A label that you’re not consistent in using will lead to unreliable analysis data.
• Open conversations are worthwhile — There are valid reasons to hesitate about having “public” conversations, and it’s a hard skill to build, but the effort is worthwhile.

Where have I been writing when I haven’t been writing here?

Duck Alignment Academy

• The do’s and don’ts of measuring contributions “outside of working hours” — Do: not. Don’t: correct. The clock time of contributions tells you very little, and almost certainly not what you’re trying to learn.
• Invalid bug reports are sometimes documentation bugs — Invalid bug reports often represent real bugs, it’s just that they’re documentation bugs instead of software bugs.
• How quickly should you fix vulnerabilities? — It’s okay to say “pay me if you want fast fixes”, but communicate that policy ahead of time so people can make informed decisions.
• Reviewing open source trends in 2025 — How well did I capture trends in open source for 2025? The vibe was right, even if some of the specifics were wrong.

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Giving contribution gifts: the risks and rewards — Giving contribution gifts can be a great way to reward people for the work they do in your project, but it comes with challenges.
• curl’s zero issues — The curl project briefly achieved zero open issues. If you want that for your project, there are a few simple things to do.

Kusari

• Breaking the “Department of No” – Ship Fast, but also Secure — Security shouldn’t slow you down. Kusari and Cloudsmith enable faster, safer releases by turning noisy CVE scans into actionable insight and enforcing policy from build to deploy. Go fast and secure.

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Who should enforce the code of conduct? — There are valid reasons to involve outside experts in code of conduct enforcement, but it’s ultimately a leadership responsibility.
• Duplicate bug reports and how to handle them — Duplicate bug reports waste time for everyone involved. You can reduce them by understanding the complicated dynamics.
• Who is a “member” of your project? — We often use the words “contributor” and “member” interchangeably in open source projects, but there are subtle differences between the two.

Kusari

• Celebrating OpenSSF’s Anniversary — Kusari celebrates the past, present, and future of the Open Source Security Foundation.
• Using Kusari Platform to Manage your Open Source Dependencies (ghostwrite) — Companies need to pay attention to the security of their open source dependencies. Kusari Platform can help.

DEVOPSdigest

• What America’s AI Action Plan means for you today — The recent directive from the White House is light on details, but you can start heading in the right direction to be ready when the details arrive.

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Using AI moderation tools — Use AI moderation tools to help human moderators, not to act on their own. Don’t take the humanity out of your community management.
• You can only expect the help you ask for — People won’t know you need help unless you ask for it. Be specific about what you need and be prepare to help the helpers.

Kusari

• Supply chain security for gitops — Software supply chain security doesn’t stop at the application layer. Kusari Inspector can help secure your infrastructure-as-code, too. 
• Addressing the challenges of cloud-native application security — Kusari’s software supply chain expertise gives you the ability to overcome the challenges in securing your cloud-native applications.

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• The right tool is the one people can use — If a tool is a means to an end (and it is!), then the right tool is the one that gets the job done. Even if it wasn’t intended for that purpose.
• Your only obligations are the promises you make — A recent policy change in libxml2 highlights the fact that project maintainers don’t have to do something just because it’s a good idea.

OpenSSF

• GUAC 1.0 is Now Available — After three years and contributions from 400+ people across 90 organizations, GUAC has reached 1.0!

GUAC

• GUAC update: May 2025

What have I been writing when I haven’t been writing here?

Kusari

• Securing the Software Supply Chain book now available! — This new book from Michael Liberman and Brandon Lum (edited by yours truly!) guides you from the basics of supply chain security through to being a security expert.
• The future of CVEs — Recent funding concerns have highlighted the need for a more resilient system of vulnerability identification.

GUAC

• GUAC Update: March 2025

What have I been writing when I haven’t been writing here?

Kusari

• Raising the Bar for Open Source Security: Introducing the OSPS Baseline — Kusari is proud to contribute to the Open Source Project Security Baseline, an OpenSSF project to help open source maintainers improve their security posture.
• Unpacking Kusari Platform Views (ghostwrite) — Kusari Platform gives you the information you need to secure your software supply chain.
• Starting the security journey: producing an SBOM (ghostwrite) — A hypothetical organization takes the first step on their software supply chain security journey by creating an SBOM for their application.
• The next step in the security journey: comparing SBOMs (ghostwrite) — Once you have multiple releases, you have multiple SBOMs. What can you learn from comparing them?
• Another step on the security journey: a constellation of SBOMs (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
  • The last step on the security journey: Kusari Platform (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
  • Securing your AI Models (ghostwrite) — The abilities of generative and agentic AI models require a proactive approach to protecting the AI supply chain.

Duck Alignment Academy

• Rules and policies are necessary to define good behavior — Think of it this way: having rules and policies for behavior in your community is like documenting the community’s API.
• Helping your project survive the loss of core contributors — Only 27% of projects that lose their core developers survive, but you can take steps to give your project its best chance.
• Facilitating decisions is more important than making them — You cannot decide on behalf of the community. Facilitating decisions is how you build a community that wants to stick around.

GUAC

• GUAC Update: February 2025
• March 2025 Community Meeting