Mastodawn

I had a chat with @andrewnez about why creating a new package repository is so hard. There are a ton of little details like support from SBOM and vulnerability scanners nobody even thinks about usually. There are so many little details

Andrew does a great job explaining all this and more

https://opensourcesecurity.io/2026/2026-04-ecosystems-andrew/

Package management challenges with Andrew Nesbitt

Josh welcomes back Andrew Nesbitt to discuss some recent blog posts he wrote about the challenges of new ecosystems as well as challenges of no ecosystems like C. There aren’t very many people who look at multiple ecosystems in the way Andrew does. He has thoughts on why it’s so hard to create a new ecosystem as well as some of the reasons we don’t see a C language ecosystem. Andrew has a ton of interesting ideas and insight for us about both existing, new, and nonexistent ecosystems.

Open Source Security

Show thread

José Albornoz 2d ago

@joshbressers @andrewnez any mention of NixOS? throughout the industry I keep seeing more and more people jump into problems that in my naivety seem solved thru it.

Show thread

Josh Bressers 2d ago

@eljojo @andrewnez

I don't think it comes up. We spend a lot of time on Zig and C because both lack robust package management systems (for very different reasons)

Nix has the ecosystem side in pretty good shape (as do the other major package repos)

Show thread

daniel:// stenberg://1d ago

@joshbressers @andrewnez psst, I believe you mixed up Michael Winser's name with Michael Scovetta a few times ...

Show thread

Josh Bressers 1d ago

@bagder @andrewnez

Ugh, I am not a smart person :)