Other writing: March 2025

Posted on April 4, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Kusari

Raising the Bar for Open Source Security: Introducing the OSPS Baseline — Kusari is proud to contribute to the Open Source Project Security Baseline, an OpenSSF project to help open source maintainers improve their security posture.
Unpacking Kusari Platform Views (ghostwrite) — Kusari Platform gives you the information you need to secure your software supply chain.
Starting the security journey: producing an SBOM (ghostwrite) — A hypothetical organization takes the first step on their software supply chain security journey by creating an SBOM for their application.
The next step in the security journey: comparing SBOMs (ghostwrite) — Once you have multiple releases, you have multiple SBOMs. What can you learn from comparing them?
Another step on the security journey: a constellation of SBOMs (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
- The last step on the security journey: Kusari Platform (ghostwrite) — When you need a solution for managing your software supply chain, the Kusari Platform provides enterprise-ready features backed by security expertise.
- Securing your AI Models (ghostwrite) — The abilities of generative and agentic AI models require a proactive approach to protecting the AI supply chain.

Duck Alignment Academy

Rules and policies are necessary to define good behavior — Think of it this way: having rules and policies for behavior in your community is like documenting the community’s API.
Helping your project survive the loss of core contributors — Only 27% of projects that lose their core developers survive, but you can take steps to give your project its best chance.
Facilitating decisions is more important than making them — You cannot decide on behalf of the community. Facilitating decisions is how you build a community that wants to stick around.

GUAC

Highways routed around towns

Posted on March 28, 2025 by Ben Cotton

“Don’t you think,” one of George Minafer’s unnamed compatriots asks in The Magnificent Ambersons, “that being things is rather better than doing things?” Minafer and his crowd are not the most sympathetic characters, and I don’t think Booth Tarkington intended them to be (although Minafer could arguably be considered an exaggerated avatar of his creator in certain respects), but I think there’s something to this quote.

I thought about it on a recent drive to Fort Wayne, where the Hoosier Heartland Highway in all its four-lane divided highway splendor curves around several small towns. Americans, it seems, would rather get to places than go to places. By this, I mean the journey is something to make as short as possible, not a part of the experience.

I’m no highway engineer, but every time I’ve driven the Hoosier Heartland Highway, the traffic has been almost non-existent. There seems to be very little reason for the “upgrade”, other than to let people drive faster. And as a result, there are towns that people no longer drive through. This might be good for the driver, but it seems less good for the businesses in the towns, and perhaps for us as a society.

When I drive through small towns, I sometimes wonder how much longer they have. The population of Americus, through which Indiana 25 no longer passes, has fallen from 630 in 2012 when the Hoosier Heartland Highway opened to 57 in 2023. Some of this is part of a general trend, to be sure, but not all of it.

Are we really in such a hurry that we’re willing to give up unique places in exchange for the sameness of limited-access highways with the same fast food places at every exit? Probably. I’m guilty of it myself. But there’s a lot we’re missing out on that we might not get back when it’s gone. We could do with spending more time being and less time doing.

Baseball and me in 2025

Posted on March 24, 2025 by Ben Cotton

Once again borrowing from Chris O’Donnell, I thought I’d write about my relationship to baseball in 2025.

Like many American boys, I grew up playing Little League baseball. I loved the game, even though I was decidedly bad at it. When I got to the age where I’d be on the more competitive traveling teams, I retired. Instead, I helped out as an assistant coach and scorekeeper for my younger sisters’ softball teams.

My family would go to a couple of AAA games in Louisville most years and I’d watch the All Star Game and World Series on TV usually, but that was about it. I was decidedly a casual fan. It didn’t help that “my” team was 600 miles away, which means 1. we definitely were not going to see a home game and 2. they weren’t on TV basically ever.

Reader, have I ever told you the story of how I became an Orioles fan? Again, like many American boys, I collected baseball cards. Like boys who only had sisters, I often wished I had a brother. So when I ended up with baseball cards for brothers Cal, Jr. and Bill Ripken and they played for the same team I was enthralled. Not long after that, Cal, Jr. broke Lou Gehrig’s consecutive game stream, and I was hooked for life.

So given that the Orioles have been really good the last few years and that I can easily watch most of their games online, you might think I’d be a more engaged fan. Well…I’m not.

Baseball invites a casualness that I don’t get from most other sports. The slowness of the game itself that some complain about is a feature to me. You can sit back, have a conversation, drink a beer or two, and just let the world go by for a bit. And MLB plays 162 games a year, so it’s okay if you miss one or ten.

I’ve tried playing in fantasy baseball leagues, but I just don’t get into it enough to do well. And my life is busy enough that watching more than the occasional game on TV is difficult. So as the 2025 baseball season starts, I’ll mostly catch up on the Orioles via the blogs I read and maybe I’ll sneak in a game here and there. I’ll keep going to the Lafayette Aviators games because they’re cheap and local. Baseball, like most sports, is better experienced in person.

DevOpsDays Chicago 2025 recap

Posted on March 21, 2025 by Ben Cotton

On Tuesday, I drove up to Chicago for the DevOpsDays event there. I’d never been to one, but they gave me a nice discount after rejecting my talk proposal, and it’s only a few hours, so I decided “why not?” I’m not really in the DevOps space anymore (to the degree I ever was), so I was a little worried that I wouldn’t be able to keep up. But the good news is that I was!

The DevOpsDays Chicago yak and its handler.

First, though, I want to tell you about a little DevOops I had. The bathrooms in the venue are fancy. They have bottles of mouthwash and little disposable cups for people who want to have minty fresh breath. I only discovered this after I washed my hands. I reflexively reached for the bottle on the counter and scrubbed dutifully. Then I realized my hands were minty fresh. I was sure to use the soap the rest of the day.

The morning had several good talks. Reid Savage gave a talk called “anti-devops.” They included such concepts as “transparency is bad,” “silos are good,” and “stop shipping iteratively.” While that might sound contrarian, it was not. Reid’s point was more of “you can have too much of a good thing.” They were the source of my favorite notes:

Transparency without clarity is bad. “I really need to pee” is providing transparency. “Do you see a bathroom nearby?” is providing clarity.

Paul Czarkowski gave a talk about running private AI on home infrastructure. He was mostly able to do live demos, which is always a risky proposition. He also said something that I want to tattoo on a lot of people’s foreheads: “Anytime you ask an AI a question, you need to be able to think critically about the response.”

The final full-length talk of the morning came from Annie Hedgpeth. Her talk explained professional networking with an analogy to systems networking. Like her, I’ve found that the relationships are more important to my career than the technical problems I’ve solved. As she said, “Like disaster recovery, professional relationships are an ongoing practice, not an emergency response.”

Just before the lunch break, there was a series of ignite talks. These are short talks with auto-advancing slides. I have a lot of speaking experience, but the thought of doing an ignite talk gives me a sense of dread. I have a ton of respect for anyone willing to get on stage and deliver a talk of any quality, but these were all good. I bought a copy of Robert Snyder’s Innovation Portfolio because I was intrigued by his “five verbs” concept. Expect a Duck Alignment Academy post on that someday.

After lunch, we had open sessions. I proposed one on supply chain security that I called “the next log4shell happened and I do or do not know what to do next.” I also attended one on reusable workflows (do they make us dumber?) and one on communicating with executives. All three had great conversations.

On top of all of the great professional content, I was also able to spend a few minutes catching up with a couple of folks I haven’t seen since the Before Times. It was great to see Jamie and Matty again. Hopefully it won’t be half a decade until the next time.

This was the 10th DevOpsDays Chicago, and I’m looking forward to the 11th. Now that I have a better sense for the vibe, I’m motivated to tweak my proposal and give a future event a try. Perhaps Des Moines or Detroit later this year?

“The Dress” and shared reality

Posted on March 17, 2025 by Ben Cotton

For the better part of the last decade (and perhaps longer), we’ve struggled with the fact that not everyone is living in the same reality. Political polarization is, in my view, less about reasoned differences in policy preferences and more about the fact that we’re not working from the same set of facts. Nothing I can say will convince someone who believes that a secret cabal is trafficking children in the basement of a pizza restaurant. Or more banally, that Joe Biden shut down the country at the beginning of the COVID-19 pandemic.

We recently passed the 10th anniversary of “The Dress,” which some say is the start of all of this.

The day of The Dress, I was interviewing for a job. I wasn’t allowed to have my phone at the facility, so I was offline most of the day. When I got to the airport, I had a chance to catch up on work and also the Internet. I’ll admit that I was a lot more interested in the llamas running loose in Arizona than some photo of a white and gold (don’t @ me) dress.

“The Dress” was definitely a shared experience for those of us terminally online in 2015. Whether it’s the event that tore us apart or not is harder to say. It does seem to mark a turning point, but the same could be said for the deaths of David Bowie and Harambe in 2016.

Instead of a beginning, The Dress might be an end. I see it as the end of shared experiences. With so many entertainment options, we don’t have things like the final episode of “M*A*S*H” or “Seinfeld” to have a shared experience. And maybe that’s part of the reason we don’t have a shared reality.

Other writing: February 2024

Posted on March 7, 2025 by Ben Cotton

What have I been writing when I haven’t been writing here?

Duck Alignment Academy

Open source projects don’t exist separately from the outside world — You do your community a disservice when you treat open source as a noble pursuit that’s separate from the noise of daily life.
Prioritizing your tasks with the Eisenhower Matrix — The Eisenhower Matrix is a simple framework for prioritizing your tasks by determining a task’s importance and urgency.
Improvement requires context — If you swoop in uninformed, you might make some correct decisions, but you’ll probably make more wrong ones. (I’m looking at you, Elon.)
Every project is a software project — It’s a good reminder that our audience is broader than we might think and we should act accordingly.

Kusari

Alarms Raised by Critical Reverse Backdoor Vulnerability in Medical Devices (ghostwrite) —Medical monitors have critical security flaws, allowing unauthorized code execution and patient data leaks.
Unpacking the Kusari Score (ghostwrite) — Cut through the noise to prioritize which vulnerability gets fixed next.
Unpacking the Kusari “Effort to Fix” Capability (ghostwrite) — Get a clear understanding of the work involved in remediating a vulnerability so you can schedule it in your sprint without blocking feature work.
Analyzing third-party risk in open source software — Third-party risk management is an important part of protecting your organization. But how do you manage the risks of open source software when you have no vendor relationship?
Addressing third-party risk in open source software — Once you’ve discovered the third-party risks in the open source projects you consume, how do you address those risks without having a vendor relationship with the projects?

GUAC

I finally cancelled my Washington Post subscription

Posted on March 3, 2025 by Ben Cotton

Last week, I cancelled my subscription to the Washington Post after its owner made clear that he is going to influence the editorial direction. The news side, they say, remains un-influenced. Even if that’s true, my money is somewhat indistinguishable. I can’t say “I’m subscribing to support the journalists only.” If Jeff Bezos wants to talk free market, I will be a free market actor. I still pay for great journalism from Marketplace, NPR, WIRED, The New Yorker, Ars Technica, and my local “retired” reporter/columnist. Plus the okayish journalism from two local papers squeezed to near-death by Gannett. The billionaire can do without my $120/year.

At the risk of turning Blog Fiasco into “Ben’s Collection of Open Letters”, I wrote this to WaPo’s support when I cancelled:

Since the “other” option in the subscription cancellation workflow doesn’t provide a text field, I thought I should take a moment to let you know why. I am an ardent believer that journalism is worth paying for. I am not an ardent believer in oligarchy. If Mr. Bezos chooses to put his thumb on the scale of the Post’s opinion page, then he doesn’t need help from my money. Jeff Bezos could fund the Post’s operational losses for the next century and only lose less than 5% of his net worth. I considered cancelling my subscription after the Post did not make an endorsement in the presidential election, as many others did. Ultimately, I chose not to because I understand that the reporters and editors doing the daily work don’t control what the executives do. But I can no longer contribute to this in good conscience. Democracy may die in darkness, but oligarchy blows out the candles.

Shortly thereafter, I got a canned reply:

For 138 years, The Washington Post has committed its pages to covering and holding power to account. Our Newsroom remains dedicated to independent reporting and fact-based journalism. Our Opinion pages will now focus on the pillars of free markets and personal liberties, two underserved viewpoints in the current market of ideas and news opinion. We look forward to continuing to be a publication for all of America.

Bullshit. Blink if you need help, customer support rep.

A letter to Purdue’s president

Posted on February 28, 2025 by Ben Cotton

I sent the following email to Mung Chiang, the president of Purdue University, last Wednesday. As of publication, I have not received a reply from his office.

President Chiang,

I write to you as a two-time Purdue alumnus, former staff member, and Lafayette resident. Like many, I am concerned about the abrupt cuts in federal funding and the state and federal attacks on diversity, equity, and inclusion. This not only affects an institution that I hold dear, but it harms the long-term future of society at large.

To that end, I am disappointed that Purdue has not taken a more vocal position. I understand and respect the desire to stay out of politics. But I am not asking the University to weigh in on what the top marginal tax rate should be. Purdue only stands to lose if the federal government continues to renege on commitments to funding. How can the Purdue One Health Initiative hope to be successful in an environment where science is ignored in favor of political loyalties and the NIH is being slashed?

How can Purdue continue to attract the best for its faculty, staff, and students when any effort to reach out to and support under-indexed people is forbidden? Research shows that diverse teams produce better results, so DEI programs are materially beneficial as well as ethically right.

I appreciate that what I am asking will draw unwanted attack, but it’s in the best long-term interests of the university to take a stand. As we remind ourselves in the opening line of “Hail Purdue!”: to your call one more we rally.

Yours,

Benjamin Cotton
BS 2006
MS 2014

Should we care where EF5 tornadoes have gone?

Posted on February 24, 2025 by Ben Cotton

Anthony W. Lyza, Harold E. Brooks, and Makenzie J. Krocak have an early-access paper in the Bulletin of the American Meteorological Society wondering where the EF5s have gone. This paper is an interesting look at the extended “drought” in the strongest category of tornadoes. The title of my post is not questioning the value of their work, but the paper does make me wonder about the value of tornado ratings for the general public.

Ratings for research and forecasting

There’s certainly value for scientific research and forecasting. Because ratings are assigned based on damage, which is what people ultimately care about, there are benefits in being able to use large data sets to find patterns. “Which environments tend to produce more destructive tornadoes?” is an important question to know the answer to. The more warning we can give (at least to some extent) of the possibility of strong tornadoes, the more time people have to take appropriate precautions.

Of course, the EF rating system has flaws. Damage assessment, while greatly improved over the years, still involves subjective decisions. In addition, binning a spectrum always results in some funkiness (that’s the scientific term). The difference between 165 and 166 mph wouldn’t meaningfully change the damage caused by a tornado, but — assuming we could accurately measure tornadoes in order to rate them — would be the difference between and EF3 and EF4 rating. And there’s the question of whether or not six ratings (and the location of the boundaries) is the “best” approach. To wit: there are a variety of different categorizations of the ratings. Are any of them better suited?

Ratings for the public

But even with the value for science, do tornado ratings provide value to the public? As I wrote eight (!!) years ago, “even though the U.S. has avoided major hurricanes, it has not avoided major damage.” Even though, unlike hurricanes, tornado ratings are based on damage, the impact to people’s lives doesn’t necessarily correlate to the rating. If your house is destroyed, does it really matter if the tornado was rated EF4 or EF5? Your house is still destroyed. Even an EF2 or EF3 can render well-built homes unlivable.

Shrug emoji

Like Lyza et al, I have questions, not answers. The public knows about EF ratings, thanks t movies like “Twister” and “Twisters”. That bell can’t be un-rung. There’s a certain degree of American competitiveness involved, too. But maybe it’s time to stop making a big deal of it?

Rights for others are about us, not them

Posted on February 21, 2025 by Ben Cotton

This is a post about my personal philosophy because I feel like it’s important for us to think about the reasons behind how we view the world.

I sometimes see people express indignation when criminals get civil rights protections or when non-citizens get the rights enumerated in the Constitution. I can understand the reasoning, but it doesn’t fit with my principles for governance. I believe that the rights we give to the others within our society are about us, not them.

Many of the rights are fundamental human rights that should apply to everyone, of course. Let’s consider those a given for now.

The rights that criminals, or suspected criminals, receive are not for them. They’re a protection for us against ourselves. It should be hard for the government to convict someone of a crime, because that protects all of us from malicious prosecution and persecution by hostile governments. And our prisoners should be treated humanely, even the ones who have committed the most heinous of crimes. It’s not because they deserve it. It’s because we want to be a just and merciful society.

Extending rights to non-citizens is a direct reflection of how the Constitution was written. The Constitution does not grant rights so much as list a subset of rights that the government can’t (or can conditionally) curtail. The idea of American governance is that the government derives its authority from the people, and thus only can do what it is permitted to do. The Constitution largely refers to “people”, not “citizens” for a reason.

What it comes down to is that I want my government to reflect the world I want to live in, regardless of how others behave or what they “deserve.”