Latest posts
- npm Data Subject Access RequestFeb 28, 2026Andrew Nesbitt
From: Data Protection Officer, npm, Inc. (a subsidiary of GitHub, Inc., a subsidiary of Microsoft Corporation) To: [REDACTED] Date: 26 February 2026 Re: Data Subject Access Request (Ref: DSAR-2026-0041573) Response deadline: Exceeded (statutory: 30 days) Dear Data Subject, Thank you for your request under Article 15 of the General Data Protection Regulation (EU) 2016/679 to access all personal dat
- xkcd 2347Feb 27, 2026Andrew Nesbitt
I made an interactive version of xkcd 2347, the dependency comic, where you can drag blocks out of the tower and watch everything above them collapse. Matter.js handles the physics and Rough.js gives it the hand-drawn xkcd look. Each reload generates a different tower from a seeded PRNG that picks a taper profile, varies the block sizes and row widths, and drifts the whole thing slightly off-cent
- Git in PostgresFeb 26, 2026Andrew Nesbitt
In December I wrote about package managers using git as a database, and how Cargo’s index, Homebrew’s taps, Go’s module proxy, and CocoaPods’ Specs repo all hit the same wall once their access patterns outgrew what a git repo is designed for. homebrew-core has one Ruby file per package formula, and every brew update used to clone or fetch the whole repository until it got large enough that GitHub
- Two Kinds of AttestationFeb 25, 2026Andrew Nesbitt
The word “attestation” now means two unrelated things in open source, and the people using it in each sense don’t seem to be talking to each other much. npm and PyPI have both shipped build provenance attestations using Sigstore over the past couple of years. When you publish a package from GitHub Actions with trusted publishing configured, the CI environment signs an in-toto attestation binding t
- Reproducible Builds in Language Package ManagersFeb 24, 2026Andrew Nesbitt
You download a package from a registry and the registry says it was built from a particular git commit, but the tarball or wheel or crate you received is an opaque artifact that someone built on their machine and uploaded. Reproducible builds let you check by rebuilding from source yourself and comparing, and if you get the same bytes, the artifact is what it claims to be. Making this work require
- Where Do Specifications Fit in the Dependency Tree?Feb 23, 2026Andrew Nesbitt
Your Ruby gem declares required_ruby_version >= 3.0. That constraint references the Ruby 3.0 language specification, expressed through the implementation version, checked against whichever runtime happens to be running, with no distinction between MRI and JRuby, and no connection to the specification document that defines what Ruby 3.0 even is. Runtimes at least show up somewhere in the tooling. Y
- Forge-Specific Repository FoldersFeb 22, 2026Andrew Nesbitt
Git doesn’t know about CI, code review, or issue templates, but every forge that hosts git repositories has added these features through the same trick: a dot-folder in your repo root that the forge reads on push. The folder names differ, the contents overlap in some places and diverge in others, and the portability story between them is worse than you’d expect. A companion to my earlier post on g
- Whale FallFeb 21, 2026Andrew Nesbitt
When a whale dies in the open ocean, its carcass sinks to the abyssal floor and becomes an ecosystem. Marine biologists call this a whale fall, and the body sustains life in three overlapping stages: mobile scavengers strip the soft tissue over months, enrichment opportunists colonise the bones and surrounding sediment for years, and chemosynthetic bacteria feed on the skeleton itself for decades,
- ActivityPubFeb 20, 2026Andrew Nesbitt
ActivityPub is a federated protocol used by public houses in the United Kingdom and the Republic of Ireland for announcing scheduled events, drink promotions, and community activities to patrons and the wider neighbourhood. Each participating pub operates as an independent instance, maintaining its own chalkboard and event schedule while optionally sharing activity information with other instances
- Go Modules for Package Management ToolingFeb 19, 2026Andrew Nesbitt
I’ve been working on a reusable layer for building ecosystem-agnostic package and supply chain tools in Go: fourteen modules under git-pkgs covering manifest parsing, registry clients, license normalization, platform translation, vulnerability feeds, and more. These are rebuilds of libraries I’ve written and used in Ruby for years, some going back to Libraries.io and more recently for Ecosyste.ms,