Mastodawn

Recently every time I get a dependabot security alert, rather than try and fix/update it, I just spend the same amount of time trying to remove the dependency instead.

Andrew Nesbitt 5h ago

Greg Wilson 6h ago

An E-Bike for the Mind: https://third-bit.com/2026/03/28/e-bike-for-the-mind/

The Third Bit: An E-Bike for the Mind

Andrew Nesbitt 1d ago

Greg Wilson 1d ago

Do any of my software engineering friends have a student who is interested in static and dynamic program analysis and is in need of a project?

Andrew Nesbitt 1d ago

Bradley Schaefer 3d ago

Conventional commit format sucks. What you really want is to use git trailers. The subject line of a commit message is PRIME real estate, and shouldn't be wasted on tools

https://alchemists.io/articles/git_trailers

https://www.conventionalcommits.org/en/v1.0.0/

Git Trailers | Alchemists

A collective devoted to the craft of software engineering where expertise is transmuted into joy.

Andrew Nesbitt 1d ago

New_ Public 1d ago

📢 Announcing the Open Social Awards🏆

Alongside @publicspaces and @waag, we aim to honor the work of independent builders around the world, creating innovative products for the open web!

More details below…

https://newpublic.org/OSA

Open Social Awards | New_ Public

The awards aim to recognize and celebrate the breakthrough products of developers building on open protocols such as ATProtocol and ActivityPub.

New_ Public

Andrew Nesbitt 2d ago

Brett Cannon 2d ago

RE: https://fosstodon.org/@jni/116287554201659198

I said digital attestations and `pylock.toml` would have helped with the litellm attack. People asked for more details, so I wrote a blog post explaining why. It also hopefully acts at motivation for people to use:

- Trusted publishing
- Digital attestations
- Lock files, and `pylock.toml` specifically

https://snarky.ca/why-pylock-toml-includes-digital-attestations/

So yes, @jni , I have a "human-readable intro" because I wrote one for you (and the other folks asking me questions on the subject). 😁

Andrew Nesbitt 2d ago

Greg Wilson 2d ago

Classifying Research Software: https://third-bit.com/2026/03/26/classifying-research-software/

The Third Bit: Classifying Research Software

Andrew Nesbitt 2d ago

Allan Friedman 2d ago

Anyone know of research on how people “discover” new open source that they want to use? Does one search GitHub for strings relevant to what they are looking for? See code used in other projects? Are there other registries?

Andrew Nesbitt 2d ago

The Top 10 Biggest Conspiracies in Open Source: https://nesbitt.io/2026/03/25/the-top-10-biggest-conspiracies-in-open-source.html

The Top 10 Biggest Conspiracies in Open Source

I’m not connecting these dots. I’m just pointing out that the dots are there.

Andrew Nesbitt

Andrew Nesbitt 3d ago

Show thread

Josh Bressers 3d ago

I wrote this up in a bit more detail in a clickbait titled article

https://opensourcesecurity.io/2026/03-open-source-eulogy/

Eulogy for open source

Thank you for clicking on the clickbait! What a year it’s been. It seems like open source is under constant attack. The security people don’t know what’s going on anymore. What day is it? It doesn’t matter. The latest open source mess is the popular open source scanner Trivy being compromised, for a month, then other open source projects downstream in the “chain” getting compromised, which will probably lead to more things getting compromised until we get back to Trivy someday. Then I think we have to call it a supply wheel. I’m not sure how these rules work.

Open Source Security

GitHub	https://github.com/andrew
Twitter	https://twitter.com/teabass
Homepage	https://nesbitt.io
bsky	https://bsky.app/profile/andrewnez.bsky.social