What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Open source projects don’t exist separately from the outside world — You do your community a disservice when you treat open source as a noble pursuit that’s separate from the noise of daily life.
• Prioritizing your tasks with the Eisenhower Matrix — The Eisenhower Matrix is a simple framework for prioritizing your tasks by determining a task’s importance and urgency.
• Improvement requires context — If you swoop in uninformed, you might make some correct decisions, but you’ll probably make more wrong ones. (I’m looking at you, Elon.)
• Every project is a software project — It’s a good reminder that our audience is broader than we might think and we should act accordingly.

Kusari

• Alarms Raised by Critical Reverse Backdoor Vulnerability in Medical Devices (ghostwrite) —Medical monitors have critical security flaws, allowing unauthorized code execution and patient data leaks.
• Unpacking the Kusari Score (ghostwrite) — Cut through the noise to prioritize which vulnerability gets fixed next.
• Unpacking the Kusari “Effort to Fix” Capability (ghostwrite) — Get a clear understanding of the work involved in remediating a vulnerability so you can schedule it in your sprint without blocking feature work.
• Analyzing third-party risk in open source software — Third-party risk management is an important part of protecting your organization. But how do you manage the risks of open source software when you have no vendor relationship?
• Addressing third-party risk in open source software — Once you’ve discovered the third-party risks in the open source projects you consume, how do you address those risks without having a vendor relationship with the projects?

GUAC

• GUAC update: January 2025
• February 2025 Community Meeting

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Building a community still means giving up control — Reddit’s new rules protect short-term value, but creating a community that’s sustainable in the long term still means giving up control.
• Open source is not consent for experiments — You can do whatever you want with the code you download. But once you’re writing instead of reading, you need to be a good participant.

Kusari

• You Can’t Fix Issues if You Can’t Find Them — Organizations often struggle to identify vulnerabilities and risks hidden within the layers of dependencies. Address it by using a holistic approach to software security.

IT Business Net

• What’s next after the Open Source AI Definition? — Now that we have OSI’s definition, where do we go from here?

GUAC

• Finding software licenses with GUAC — Need to find the software in your dependency graph where the declared license doesn’t match the detected license? GUAC can do that!
• GUAC v0.9.0 released
• GUAC v0.10.0 released
• GUAC Update: October 2024

Sometime in August, I saw a post on Facebook about a fundraiser for the American Heart Association. The goal was to bike for 100 miles in the month of September and get donations. “What the heck? Why not?” I said to myself in a fit of committing myself to things I don’t have the capacity for. It’s on brand, you have to give me that much.

Keep in mind, I haven’t biked 100 miles in the last decade. There was a time when I commuted to work on my bike a couple of times a week. I was much younger then. But what the heck, there’s no reason I couldn’t do this. Plus, my doctor wants me to lose a few pounds, anyway.

The ride

The hardest part, I knew, would be finding the time to ride. It’s a busy time with kids’ activities and whatnot, so I had to get the miles in where I could. I got off to a strong start on Labor Day weekend, and used Sundays to good effect, generally. I snuck in some midday and evening rides when I could.

Here’s a thing you might not know: Indiana isn’t all flat. The area I live now is far flatter than where I grew up, but it’s not without some hills. The Wabash River, over the millennia, has carved some contours into the elevation map. As an unfortunate result, most of the interesting places to ride are downhill from my house. I used the bike rack at first, but after I’d done a few rides, I got up the nerve to tackle the hill. As you might have guessed, I survived, but it wasn’t always pleasant. On one ride, I went all the way up the trail through Happy Hollow Park (and then back down Happy Hollow Road, which was fun). Only later did I think “oh yeah, I still need to get back up to my house.” My heart rate hit the low 180s, but I got home without walking the bike.

I also met my (admittedly modest) fundraising goal. I tried to goad people into donating more by saying I’d add an extra mile for every $10 over the goal before I reach the 100 mark. But I was chicken and didn’t make that offer until I was almost there.

The joy

The exercise was good, as was the fundraising. But the best part was just the joy of being out and about. I’m unabashedly a fan of Greater Lafayette, and I tried to plan my routes in such a way that I could enjoy some of what makes it My City. Some of the places I enjoyed:

• Wabash Heritage Trail
• Highland Park neighborhood
• Celery Bog
• Wabash Avenue neighborhood (this neighborhood is so disconnected from the rest of the city, it almost feels like a different place)
• Tapawingo Park
• John T. Myers Pedestrian Bridge
• Happy Hollow Park
• Washout Waters disc golf course
• the most un-urban intersection in the entire city

Sometimes I rode solo, which gave me some rare alone time. Sometimes I rode with my wife. Sometimes I rode with my youngest kid. Sometimes my two youngest kids and my wife and I all rode around the neighborhood together.

I don’t know if I’ll want to put myself through the stress of trying to make sure I can meet my goal again, but it definitely got me more active and wanting to spend more time on my bike.

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

• Release announcements must be a part of your process — Release announcements give you a chance to create buzz around your project that can help attract new users and contributors.
• Use care in examples and placeholders — Placeholder configs for services that the user will interact with should be intentionally broken to protect users and innocent bystanders.
• Combinatorial releases won’t help — The general software release workflow looks like something Gutenberg would recognize from 1440 because it actually works pretty well.
• Write a vision and mission statement for your project — Your project’s vision and mission statement give the community an ideal to rally around. They define what your project is — and isn’t.

What have I been writing when I haven’t been writing here?

Stuff I wrote

Duck Alignment Academy

• Incentives power open source — A company making requests of a project has to explain the incentives in a way the project members will care, not in a way the company cares.
• Conway’s Law applies to your documentation, too — In order to keep your documentation from falling into the Conway trap, you have to actively curate it across the entire project.
• Should you care about GitHub stars? — If GitHub stars give you dopamine, then care about them. Don’t try to draw any conclusions from stars, just bask in their glory.
• Bug fixes only matter if they get to the user — Any bug that blocks a release from getting to  users is  worthy of an immediate fix release. This is true even if the bug is minor by itself.
• Plan for what happens after your project is done — Your open source project will end one day. That’s okay. But you should think about what will happen with your project after it’s done.
• Roadmaps are valuable for open source projects — The moment you go from one contributor to two, you have to start coordinating. The project roadmap is an excellent tool for that.
• No task is too small to track if that’s what it takes to get it done — When in doubt, add the task. It’s better to track unnecessarily than to not track something important.
• License changes are API changes — Making a license change affects how people interact with your project. You need to treat license changes as if they were changes to your API.
• Getting started is just the start — You’ll need to continually refine processes as you go. That’s easier if you think beyond just what you need at the start.

What have I been writing when I haven’t been writing here?

Stuff I wrote

Duck Alignment Academy

• Fork yes: embrace forks of your project — If you’ve done what you can to make your community a great place to contribute, then you can feel free to embrace any forks that happen.
• Keep your bug tracker unified — When your bug tracking is scattered across different platforms, you make it harder for your users to file reports.
• Semantic versioning in large projects — SemVer can work for large projects, but it’s not a fit for every case. Whatever you pick, document it clearly.
• Grow by delegating — Don’t hoard responsibility. Give new contributors a sense of ownership so that they’ll stick around your community.

What have I been writing when I haven’t been writing here?

Stuff I wrote

Duck Alignment Academy

• Open source trends for 2024 — With 2024 here, I take a look at a few trends I see in open source this year.
• Don’t try to be too formal in policy writing ­— Don’t emulate legal language when writing policies for your community. The simpler the language, the easier everyone will understand.
• Companies: fund work that isn’t new development — Failing to invest in your upstream projects presents a large business risk. Communities, like gardens, are more productive when tended to.

Docker

• Announcing Docker Scout Software Supply Chain Solution for Open Source Projects — Docker’s new software supply chain tool is available for participants in the sponsored open source program.