Splitting conversations splits community — Community leaders are often too quick to segment conversations into different channels, which effectively hides the activity.
What have I been writing when I haven’t been writing here?
Duck Alignment Academy
Use reserved domains and IPs in examples — Domains and IP blocks specifically reserved for documentation purposes are far better than the placeholders you’re probably using.
Adding pre-report bug discussion — The Ghostty project requires bug reports to start as discussion threads. If they’re actionable, a maintainer converts the thread to an issue.
Growing your project means doing less coding — You can’t hide from the reality of a growth in non-coding tasks. If you want to keep writing code, recruit others to take on the rest.
Open source accelerates secure software — The US DoD’s Software Fast-Track Initiative looks to improve software procurement and security. Open source software must be a key part of this.
On Tuesday, I drove up to Chicago for the DevOpsDays event there. I’d never been to one, but they gave me a nice discount after rejecting my talk proposal, and it’s only a few hours, so I decided “why not?” I’m not really in the DevOps space anymore (to the degree I ever was), so I was a little worried that I wouldn’t be able to keep up. But the good news is that I was!
The DevOpsDays Chicago yak and its handler.
First, though, I want to tell you about a little DevOops I had. The bathrooms in the venue are fancy. They have bottles of mouthwash and little disposable cups for people who want to have minty fresh breath. I only discovered this after I washed my hands. I reflexively reached for the bottle on the counter and scrubbed dutifully. Then I realized my hands were minty fresh. I was sure to use the soap the rest of the day.
The morning had several good talks. Reid Savage gave a talk called “anti-devops.” They included such concepts as “transparency is bad,” “silos are good,” and “stop shipping iteratively.” While that might sound contrarian, it was not. Reid’s point was more of “you can have too much of a good thing.” They were the source of my favorite notes:
Transparency without clarity is bad. “I really need to pee” is providing transparency. “Do you see a bathroom nearby?” is providing clarity.
Paul Czarkowski gave a talk about running private AI on home infrastructure. He was mostly able to do live demos, which is always a risky proposition. He also said something that I want to tattoo on a lot of people’s foreheads: “Anytime you ask an AI a question, you need to be able to think critically about the response.”
The final full-length talk of the morning came from Annie Hedgpeth. Her talk explained professional networking with an analogy to systems networking. Like her, I’ve found that the relationships are more important to my career than the technical problems I’ve solved. As she said, “Like disaster recovery, professional relationships are an ongoing practice, not an emergency response.”
Just before the lunch break, there was a series of ignite talks. These are short talks with auto-advancing slides. I have a lot of speaking experience, but the thought of doing an ignite talk gives me a sense of dread. I have a ton of respect for anyone willing to get on stage and deliver a talk of any quality, but these were all good. I bought a copy of Robert Snyder’s Innovation Portfolio because I was intrigued by his “five verbs” concept. Expect a Duck Alignment Academy post on that someday.
After lunch, we had open sessions. I proposed one on supply chain security that I called “the next log4shell happened and I do or do not know what to do next.” I also attended one on reusable workflows (do they make us dumber?) and one on communicating with executives. All three had great conversations.
On top of all of the great professional content, I was also able to spend a few minutes catching up with a couple of folks I haven’t seen since the Before Times. It was great to see Jamie and Matty again. Hopefully it won’t be half a decade until the next time.
Ben and Matty taking a selfie.
This was the 10th DevOpsDays Chicago, and I’m looking forward to the 11th. Now that I have a better sense for the vibe, I’m motivated to tweak my proposal and give a future event a try. Perhaps Des Moines or Detroit later this year?
Improvement requires context — If you swoop in uninformed, you might make some correct decisions, but you’ll probably make more wrong ones. (I’m looking at you, Elon.)
Unpacking the Kusari Score (ghostwrite) — Cut through the noise to prioritize which vulnerability gets fixed next.
Unpacking the Kusari “Effort to Fix” Capability (ghostwrite) — Get a clear understanding of the work involved in remediating a vulnerability so you can schedule it in your sprint without blocking feature work.
Analyzing third-party risk in open source software — Third-party risk management is an important part of protecting your organization. But how do you manage the risks of open source software when you have no vendor relationship?
Addressing third-party risk in open source software — Once you’ve discovered the third-party risks in the open source projects you consume, how do you address those risks without having a vendor relationship with the projects?
Open source is not consent for experiments — You can do whatever you want with the code you download. But once you’re writing instead of reading, you need to be a good participant.
Kusari
You Can’t Fix Issues if You Can’t Find Them — Organizations often struggle to identify vulnerabilities and risks hidden within the layers of dependencies. Address it by using a holistic approach to software security.
Finding software licenses with GUAC — Need to find the software in your dependency graph where the declared license doesn’t match the detected license? GUAC can do that!
Sometime in August, I saw a post on Facebook about a fundraiser for the American Heart Association. The goal was to bike for 100 miles in the month of September and get donations. “What the heck? Why not?” I said to myself in a fit of committing myself to things I don’t have the capacity for. It’s on brand, you have to give me that much.
Keep in mind, I haven’t biked 100 miles in the last decade. There was a time when I commuted to work on my bike a couple of times a week. I was much younger then. But what the heck, there’s no reason I couldn’t do this. Plus, my doctor wants me to lose a few pounds, anyway.
The ride
The hardest part, I knew, would be finding the time to ride. It’s a busy time with kids’ activities and whatnot, so I had to get the miles in where I could. I got off to a strong start on Labor Day weekend, and used Sundays to good effect, generally. I snuck in some midday and evening rides when I could.
Here’s a thing you might not know: Indiana isn’t all flat. The area I live now is far flatter than where I grew up, but it’s not without some hills. The Wabash River, over the millennia, has carved some contours into the elevation map. As an unfortunate result, most of the interesting places to ride are downhill from my house. I used the bike rack at first, but after I’d done a few rides, I got up the nerve to tackle the hill. As you might have guessed, I survived, but it wasn’t always pleasant. On one ride, I went all the way up the trail through Happy Hollow Park (and then back down Happy Hollow Road, which was fun). Only later did I think “oh yeah, I still need to get back up to my house.” My heart rate hit the low 180s, but I got home without walking the bike.
I also met my (admittedly modest) fundraising goal. I tried to goad people into donating more by saying I’d add an extra mile for every $10 over the goal before I reach the 100 mark. But I was chicken and didn’t make that offer until I was almost there.
The joy
The exercise was good, as was the fundraising. But the best part was just the joy of being out and about. I’m unabashedly a fan of Greater Lafayette, and I tried to plan my routes in such a way that I could enjoy some of what makes it My City. Some of the places I enjoyed:
Sometimes I rode solo, which gave me some rare alone time. Sometimes I rode with my wife. Sometimes I rode with my youngest kid. Sometimes my two youngest kids and my wife and I all rode around the neighborhood together.
I don’t know if I’ll want to put myself through the stress of trying to make sure I can meet my goal again, but it definitely got me more active and wanting to spend more time on my bike.
Use care in examples and placeholders — Placeholder configs for services that the user will interact with should be intentionally broken to protect users and innocent bystanders.
Combinatorial releases won’t help — The general software release workflow looks like something Gutenberg would recognize from 1440 because it actually works pretty well.
What does it mean to pretend to be something else? In one of my favorite books, Mother Night, the character Howard W. Campbell, Junior concludes that “we are what we pretend to be, so we must be careful what we pretend to be.” Viet Thanh Nguyen’s narrator in The Sympathizer reaches no conclusions, but he struggles with the thought throughout the story.
I saw — or imagined — a lot of parallels between Mother Night and The Sympathizer, which no doubt predisposed me to liking the latter. Both books take the form of the protagonist recounting his exploits for a captor, mixing self-reflection with facts. Both take place in a war setting, which characters having authentic connections to the people they’re trying to deceive.
But just because the themes rhyme, The Sympathizer is its own work. If nothing else, it’s a rare work that looks at the Vietnam War from the North Vietnamese perspective. It’s also a really enjoyable book in its own right. The fact that the narrator cannot answer the questions he asks himself gives the reader something to think about long after the book is done.
I loved this book to the point that I stayed up far too late to finish it. I’m looking forward to reading the sequel that I just found out existed.
What have I been writing when I haven’t been writing here?
Stuff I wrote
Duck Alignment Academy
Incentives power open source — A company making requests of a project has to explain the incentives in a way the project members will care, not in a way the company cares.
Should you care about GitHub stars? — If GitHub stars give you dopamine, then care about them. Don’t try to draw any conclusions from stars, just bask in their glory.
Bug fixes only matter if they get to the user — Any bug that blocks a release from getting to users is worthy of an immediate fix release. This is true even if the bug is minor by itself.
License changes are API changes — Making a license change affects how people interact with your project. You need to treat license changes as if they were changes to your API.
Getting started is just the start — You’ll need to continually refine processes as you go. That’s easier if you think beyond just what you need at the start.
What have I been writing when I haven’t been writing here?
Stuff I wrote
Duck Alignment Academy
Fork yes: embrace forks of your project — If you’ve done what you can to make your community a great place to contribute, then you can feel free to embrace any forks that happen.
Keep your bug tracker unified — When your bug tracking is scattered across different platforms, you make it harder for your users to file reports.
Semantic versioning in large projects — SemVer can work for large projects, but it’s not a fit for every case. Whatever you pick, document it clearly.
Grow by delegating — Don’t hoard responsibility. Give new contributors a sense of ownership so that they’ll stick around your community.
