HackerTrans
TopNewTrendsCommentsPastAskShowJobs

michaelw

no profile record

Submissions

Xkcd Simulation for Real Packages

nesbitt.io
2 points·by michaelw·5 माह पहले·0 comments

Hyrum's Tests

github.com
2 points·by michaelw·5 माह पहले·1 comments

Open Infrastructure Is Not Free: A Joint Statement on Sustainable Stewardship

openssf.org
20 points·by michaelw·10 माह पहले·7 comments

comments

michaelw
·5 माह पहले·discuss
Similar to LinkedIn's "verified" process, Porkbun uses a 3rd party: veriff.com. https://www.veriff.com/privacy-notice.

It appears that Veriff's data retention is set by their customers (in this case Porkbun). Porkbun's policy says that this information is deleted as soon as they have verified that you "pass." They aren't quite as explicit as saying that they require Veriff to delete it that quickly.

Unfortunately there's a giant loophole in Veriff's policies (emphasis mine):

  (5) Fifth, we store Personal Data only for as long as the retention of data is required by law, a contract *or is necessary for the provision or development of our Services or required for protecting us against legal claims.* At the end of the retention period, we shall permanently erase the Personal Data or anonymize it.
michaelw
·5 माह पहले·discuss
From Hyrum's Law to AI generated unit tests to automatically validate implicit dependency contracts.
michaelw
·9 माह पहले·discuss
Oh this brings back some fun memories. I worked with QNX for the ICON computer at Cemcorp and ESP Educational Software Products.

The OS was so clean but it lacked a lot of basic tooling. Back then there was no GUI or even a graphics library. We had to build or port a lot of things, including a VCS, from scratch. My editor of choice was JOVE (I couldn't get Emacs to build). I remember digging up various papers on graphics and creating our first graphics library.
michaelw
·10 माह पहले·discuss
Please see my other reply about network costs. Bandwidth is a real cost that does not currently show up on the balance sheet because of Fastly's generous donations.

That said, I would love to see more organizations implement private staging repositories for their upstream package supply. This is where they can and should apply policies to protect their applications.

Developing a single multi-protocol or even multiple open source caching proxies will cost real time and money. I'd love to see more solutions here but at this stage it will take more than a few volunteers and a "PRs welcome" in the README.
michaelw
·10 माह पहले·discuss
If the costs were all bandwidth related I would agree. Most open source package managers benefit from Fastly's generous donation of credits. Even if one ignores the single-provider-point-of-failure risk, the reality is that the development and operational costs of running package managers is much more than just networking bandwidth and more is needed.

Malware scanning, AI slopsquatting, and typosquatting are just a few of the things that package managers do today. Implementing emerging standards like Trusted Publishing ( https://repos.openssf.org/trusted-publishers-for-all-package... ), the Principles for Package Repository Security ( https://repos.openssf.org/principles-for-package-repository-... ), and improved infrastructure hardening will all important.

The key insight is that these are services that require development and operations budgets that scale with their usage.
michaelw
·10 माह पहले·discuss
Original joint statement on the OpenSSF blog: https://openssf.org/blog/2025/09/23/open-infrastructure-is-n...
michaelw
·10 माह पहले·discuss
Package managers are the app stores of software development. They are essential to the developer workflow and are key points of leverage with regard to supply chain security. They will be even more critical as AI-based development expands.

The root-cause problem is that package managers are funded like charities when they should be operating like non-profits. Their costs scale with usage but their donation-based revenue is dwindling. This problem has been partially masked by generous infrastructure donations but the operational costs are not just network and compute. There's a lot of security engineering development and ops in running a package manager service.