woodruffw

@[email protected]
0 Followers
0 Following
5 Posts
I'm a Software Engineer in New York City (prev. Trail of Bits, currently Astral). Before that, I studied philosophy.

On the philosophy side, I'm chiefly interested in metaphysics (ontology and mathematics/formal systems & semantics) and deontological ethics (praise and blame, moral education, honesty & bad faith).

On the computational side, I'm chiefly interested in program analysis (compilers), security (compilers), and systems (compilers). I do a decent amount of professional open source work on projects that encompass some of those.

My opinions are my own and do not reflect those of any employer, institutions, affiliates, lovers or haters past, present, or future. They might not even be mine anymore!

Sites: https://yossarian.net / https://blog.yossarian.net / @[email protected]
This account is a replica from Hacker News. Its author can't see your replies. If you find this service useful, please consider supporting us via our Patreon.

Officialhttps://
Support this servicehttps://www.patreon.com/birddotmakeup
Show threadwoodruffw2d ago
Emphasis on teams; the median open source project has a fraction of a single person working on it.
Show threadwoodruffw2d ago

I think evaluating alternatives to GitHub is going to become increasingly important over the coming years. At the same time, I think these kinds of migrations discount how much GitHub has changed the table stakes/raised the bar for what makes a valuable source forge: it's simply no longer reasonable to BYO CI or accept one that can't natively build for a common set of end-user architectures.

This on its own makes me pretty bearish on community-driven attempts to oust GitHub, even if ideologically I'm aligned with them: the real cost (both financial and in terms of complexity) of user expectations around source forges in 2026 is immense.

Show threadwoodruffw5d ago

See also pinact[1], gha-update[2], and zizmor's unpinned-uses[3].

The main desiderata with these kinds of action pinning tools is that they (1) leave a tag comment, (2) leave that comment in a format that Dependabot and/or Renovate understands for bumping purposes, and (3) actually put the full tag in the comment, rather than the cutesy short tag that GitHub encourages people to make mutable (v4.x.y instead of v4).

[1]: https://github.com/suzuki-shunsuke/pinact

[2]: https://github.com/davidism/gha-update

[3]: https://docs.zizmor.sh/audits/#unpinned-uses

Show threadwoodruffwJan 4
I think GP’s point isn’t that you don’t have the freedom to decide your own interoperability (you clearly do), but that the primary remaining benefit of PGP as an ecosystem is that interoperability. If you’re throwing that away, then there’s very little reason to shackle yourself to a larger design that the cryptographic community (more or less) unanimously agrees is dangerous and antiquated.
woodruffwOct 24
Okay, maybe I'm just not the target audience for this. I didn't know what an ISAC was, but I've seen plenty of TLP markers on open source disclosures where it was exceedingly unclear what a "community" meant w/r/t appropriate sharing.