Other writing: July 2025

Posted on August 7, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

Using AI moderation tools — Use AI moderation tools to help human moderators, not to act on their own. Don’t take the humanity out of your community management.
You can only expect the help you ask for — People won’t know you need help unless you ask for it. Be specific about what you need and be prepare to help the helpers.

Kusari

Supply chain security for gitops — Software supply chain security doesn’t stop at the application layer. Kusari Inspector can help secure your infrastructure-as-code, too.
Addressing the challenges of cloud-native application security — Kusari’s software supply chain expertise gives you the ability to overcome the challenges in securing your cloud-native applications.

Other writing: June 2025

Posted on July 11, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

The right tool is the one people can use — If a tool is a means to an end (and it is!), then the right tool is the one that gets the job done. Even if it wasn’t intended for that purpose.
Your only obligations are the promises you make — A recent policy change in libxml2 highlights the fact that project maintainers don’t have to do something just because it’s a good idea.

OpenSSF

GUAC 1.0 is Now Available — After three years and contributions from 400+ people across 90 organizations, GUAC has reached 1.0!

GUAC

GUAC update: May 2025

Other writing: May 2025

Posted on June 3, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

Use reserved domains and IPs in examples — Domains and IP blocks specifically reserved for documentation purposes are far better than the placeholders you’re probably using.
Adding pre-report bug discussion — The Ghostty project requires bug reports to start as discussion threads. If they’re actionable, a maintainer converts the thread to an issue.
Growing your project means doing less coding — You can’t hide from the reality of a growth in non-coding tasks. If you want to keep writing code, recruit others to take on the rest.
It’s okay to be partial to your work — It’s okay to be partial to — and promote — your own work, so long as you follow the community’s process.

OpenSSF

New Guide on Simplifying Software Component Updates — My name isn’t on this, but I helped with some editing on both the guide and the blog post.

Kusari

Open source accelerates secure software — The US DoD’s Software Fast-Track Initiative looks to improve software procurement and security. Open source software must be a key part of this.
Code is More Important than Identity for Security — Asking open source contributors to prove their legal identity doesn’t make software more secure.

I owe my career to Unidata

Posted on May 12, 2025 by Ben Cotton

You may wonder how a site called “Funnel Fiasco” came to have so much technology content. It all traces back to an email I sent my freshman year of college. But it’s also directly attributable to the work done at Unidata. Funded by the National Science Foundation for decades, Unidata is a cornerstone of atmospheric science education, providing software and data services. Tragically, Unidata furloughed almost all staff on Friday thanks to the assholes running the government.

A fateful email

Early in my freshman year, Dr. Jon Schrage was giving a tour of the Earth & Atmospheric Sciences facilities in Purdue’s Civil Engineering Building. (Ed note — Earth & Atmospheric Sciences is now Earth, Atmospheric, and Planetary Sciences. The Civil Engineering Building is now Hampton Hall. I will use the names as they were in my time as an undergraduate.) He mentioned that he’d be doing a training on the WXP software soon if anyone wanted to learn how to use it.

Reader, I very much did. So I showed up to the Civil Engineering Building on a Wednesday night. For the next two hours, I learned how to use WXP to make weather maps. At the end of the session, Jon mentioned that he was a visiting professor and his appointment was up at the end of the year. He didn’t know who would be maintaining the software the following year.

When I got back to my room, high on the thrill of weather plots, I sat down and sent him an email. With all of the confidence of a mediocre white man, I sent this: “I’m just a freshman who doesn’t know what he’s doing, but I’ll do it.” It’s been almost 24 years, but I’m pretty sure those were my exact words.

Did I know how to use Unix (specifically FreeBSD)? No! Did I know anything about the software? No! Was I going to let that stop me? Absolutely not.

Amazingly, the department hired me. That got me through my undergraduate years and set me up to accidentally fall into a career in technology. I’d say it has worked out pretty well so far.

Where Unidata fits in

The astute reader may notice that so far the tale centers on my overconfidence. So where does Unidata fit in?

Unidata created and maintains the Local Data Manager (LDM) software. LDM allows universities and other users to reliably share meteorological data in near-real time. From models, to observations, to satellite images, to radar data, LDM provides a robust transport mechanism. A big part of my job was administering the software and providing help to students and faculty who needed data.

The department flew me to Boulder for an in-person training workshop where I learned LDM in greater depth. Later on, I returned to Boulder for training on GEMPAK, another weather visualization and analysis suite.

The software and the training helped me become a valuable contributor my department’s education and research missions. This is what led to me getting a full-time Linux sysadmin role the summer after I graduated. No doubt there are many others like me out there — not to mention all of the forecasters and researchers who learned about the atmosphere with the help of Unidata’s work.

The Unidata staff — as well as so many other federal grant recipients, contractors, and employees — deserve far better than this administration has given them.

Other writing: April 2025

Posted on May 9, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Kusari

Securing the Software Supply Chain book now available! — This new book from Michael Liberman and Brandon Lum (edited by yours truly!) guides you from the basics of supply chain security through to being a security expert.
The future of CVEs — Recent funding concerns have highlighted the need for a more resilient system of vulnerability identification.

GUAC

GUAC Update: March 2025

R.I.P. Skype

Posted on May 6, 2025 by Ben Cotton

Microsoft pulled the plug on Skype yesterday. I haven’t used it in years. I even took it off of my phone at some point. Even though I was never a particularly heavy user, I still feel a bit of sadness about it.

I first became aware of Skype in (I guess) 2007. A PhD candidate in my department was defending his dissertation, but one of his committee members was from another institution. Instead of flying to West Lafayette for a two hour engagement, they joined in via Skype. As someone who grew up with sub-standard-even-for-dialup dialup Internet, this was pretty wild.

It’s not that I couldn’t conceive of high-bandwidth voice and video communication, it’s just that I hadn’t experienced it before. I didn’t really use it much myself until Mario Marathon, when we’d talk to Internet randos and famous people.

For a while, I used Skype to keep in touch with some of those Internet randos, but my Skype usage really took off when I joined Cycle Computing. When I started in 2013, we were using Skype for voice as well as chat. It was not great. Thankfully, this app called Slack launched in 2014. It didn’t have voice or video chat, so we still used Skype for that (until we switched to Zoom some time later).

By the time Microsoft acquired Cycle (which was well after they acquired Skype), they had developed Teams. My division, though, still used Skype for Business, which wasn’t Skype at all but a re-branded Lync.

From then on, I almost never used Skype. The only person I’ve Skyped with in the last 8 years or so is my wife before we lived together. It’s been years now since I’ve even logged in.

So long, Skype. You could have been awesome, except you were ignored.

Book review: Guiding Star OKRs

Posted on April 21, 2025 by Ben Cotton

Setting, tracking, and reporting OKRs is terrible. But what if it wasn’t? In Guiding Star OKRs: A New Approach to Setting and Achieving Goals, Staffan Nöteberg lays out a framework that focuses on heading in the right direction instead of trying to meet exact targets. Unlike the OKRs you may have experienced, Guiding Star OKRs are focused on getting the right results, not the pre-determined results.

In a previous role, management was big into setting cascading OKRs (which Nöteberg says not to do). My objectives were my manager’s key results. My manager’s objectives were my VP’s key results, and so on. The end result was that there was no reward for helping colleagues meet their individual OKR targets. Instead of working together, we all worked individually in the hope that it ended up achieving the company’s broader goals. Spoiler alert: it did not.

I went into reading Guiding Star OKRs expecting to shake my head at a slight variation on a broken system. Instead, I came away enthusiastic about Nöteberg’s approach. Finally, OKRs that are meaningful!

The concept of setting and attracting objectives and key results (OKRs) really took off a Google. As anyone in the sysadmin/DevOps space in the early 2010s can tell you, a lot of organizations copied Google without considering if they need to.

This book is full of practical advice and examples to help the reader adopt the framework to their organization’s specific needs. For example: “never engage in setting objectives or key results when tasks are already determined.”

Guiding Star OKRs is a must-read for leaders who want to achieve results in a sustainable way. It’s now available in print and digital formats from The Pragmatic Bookshelf.

Full disclosure: I provided the publisher with a praise quote for this book and received a complimentary copy as a result. I received no compensation for this review.

Book review: Business Success with Open Source

Posted on April 15, 2025 by Ben Cotton

Open source is big business, whether you mean companies producing open source software or using it to build their products. But too many companies don’t take an intentional approach to how they consume and create open source. There’s no excuse for that now that VM Brasseur’s new book, Business Success with Open Source: Strengthen Your Business with Free and Open Source Software, is published.

At 470 pages, this is no light treatment of the topic. Brasseur digs deep into the intersection of business and open source software with insights from her years of experience. Readers who are already deep in the open source world may find the early chapters unnecessary, but Brasseur ensures that no one gets left behind.

If you’re in a leadership role in your company and have anything to do with open source at all, you need to read this book. It’s now available in print and digital formats from The Pragmatic Bookshelf.

Full disclosure: VM Brasseur is a close personal friend. In addition, I was a technical reviewer for this book and received a complimentary copy for my work. I received no compensation for this review.

Other writing: March 2025

Posted on April 4, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Kusari

Raising the Bar for Open Source Security: Introducing the OSPS Baseline — Kusari is proud to contribute to the Open Source Project Security Baseline, an OpenSSF project to help open source maintainers improve their security posture.
Unpacking Kusari Platform Views (ghostwrite) — Kusari Platform gives you the information you need to secure your software supply chain.
Starting the security journey: producing an SBOM (ghostwrite) — A hypothetical organization takes the first step on their software supply chain security journey by creating an SBOM for their application.
The next step in the security journey: comparing SBOMs (ghostwrite) — Once you have multiple releases, you have multiple SBOMs. What can you learn from comparing them?
Another step on the security journey: a constellation of SBOMs (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
- The last step on the security journey: Kusari Platform (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
- Securing your AI Models (ghostwrite) — The abilities of generative and agentic AI models require a proactive approach to protecting the AI supply chain.

Duck Alignment Academy

Rules and policies are necessary to define good behavior — Think of it this way: having rules and policies for behavior in your community is like documenting the community’s API.
Helping your project survive the loss of core contributors — Only 27% of projects that lose their core developers survive, but you can take steps to give your project its best chance.
Facilitating decisions is more important than making them — You cannot decide on behalf of the community. Facilitating decisions is how you build a community that wants to stick around.

GUAC

Highways routed around towns

Posted on March 28, 2025 by Ben Cotton

“Don’t you think,” one of George Minafer’s unnamed compatriots asks in The Magnificent Ambersons, “that being things is rather better than doing things?” Minafer and his crowd are not the most sympathetic characters, and I don’t think Booth Tarkington intended them to be (although Minafer could arguably be considered an exaggerated avatar of his creator in certain respects), but I think there’s something to this quote.

I thought about it on a recent drive to Fort Wayne, where the Hoosier Heartland Highway in all its four-lane divided highway splendor curves around several small towns. Americans, it seems, would rather get to places than go to places. By this, I mean the journey is something to make as short as possible, not a part of the experience.

I’m no highway engineer, but every time I’ve driven the Hoosier Heartland Highway, the traffic has been almost non-existent. There seems to be very little reason for the “upgrade”, other than to let people drive faster. And as a result, there are towns that people no longer drive through. This might be good for the driver, but it seems less good for the businesses in the towns, and perhaps for us as a society.

When I drive through small towns, I sometimes wonder how much longer they have. The population of Americus, through which Indiana 25 no longer passes, has fallen from 630 in 2012 when the Hoosier Heartland Highway opened to 57 in 2023. Some of this is part of a general trend, to be sure, but not all of it.

Are we really in such a hurry that we’re willing to give up unique places in exchange for the sameness of limited-access highways with the same fast food places at every exit? Probably. I’m guilty of it myself. But there’s a lot we’re missing out on that we might not get back when it’s gone. We could do with spending more time being and less time doing.

Blog Fiasco

The world's only(?) FOSS/weather/sports/marketing/high-performance computing blog

Other writing: July 2025

Duck Alignment Academy

Kusari

Other writing: June 2025

Duck Alignment Academy

OpenSSF

GUAC

Other writing: May 2025

Duck Alignment Academy

OpenSSF

Kusari

I owe my career to Unidata

A fateful email

Where Unidata fits in

Other writing: April 2025

Kusari

GUAC

R.I.P. Skype

Book review: Guiding Star OKRs

Book review: Business Success with Open Source

Other writing: March 2025

Kusari

Duck Alignment Academy

GUAC

Highways routed around towns