Blog Directory
Directory Blog

Andrew Nesbitt

Andrew Nesbitt — Open source infrastructure builder, creator of Ecosyste.ms and Libraries.io

Package management and open source metadata expert. Building Ecosyste.ms, open datasets and tools for critical open source infrastructure.

Even a perfect PR with a note saying 'no rush' creates a low-grade obligation the moment it appears.

nesbitt.io

One of the foremost voices on open source package management and software supply chains. Andrew writes with deep, hands-on knowledge — he built Libraries.io and Ecosyste.ms — and his posts often compare how different language ecosystems solve the same problems. A rare blog that makes dependency management genuinely interesting to read about.

Written by Andrew Nesbitt.

About This Blog
Activity

Very Active

Publishes multiple times per week

Followers

3

Category

Independent Blog

Languages

English

Feed Accessibility

How this blog's content is accessed through Blogs Are Back.

Full Content

RSS feed includes complete post content for reading in-app

Direct Access

Feed can be fetched directly from your browser

Direct Post Links

Post pages can be loaded directly in the reader

Embeddable

Posts can be displayed inline in the reader view

Collections

This blog appears in the following curated collections.

Security & Privacy

Expert voices on web security, data breaches, and digital rights

Latest Posts

Recent posts from Andrew Nesbitt's RSS feed.

Git in Postgres

In December I wrote about package managers using git as a database, and how Cargo’s index, Homebrew’s taps, Go’s module proxy, and CocoaPods’ Specs repo all hit the same wall once their access patterns outgrew what a git repo is designed for. homebrew-core has one Ruby file per package formula, and every brew update used to clone or fetch the whole repository until it got large enough that GitHub explicitly asked them to stop. Homebrew 4.0 switched to downloading a JSON file over HTTP, because...

Two Kinds of Attestation

The word “attestation” now means two unrelated things in open source, and the people using it in each sense don’t seem to be talking to each other much. npm and PyPI have both shipped build provenance attestations using Sigstore over the past couple of years. When you publish a package from GitHub Actions with trusted publishing configured, the CI environment signs an in-toto attestation binding the artifact to the source repository, commit, and workflow that built it, and the signature goes in...

Reproducible Builds in Language Package Managers

You download a package from a registry and the registry says it was built from a particular git commit, but the tarball or wheel or crate you received is an opaque artifact that someone built on their machine and uploaded. Reproducible builds let you check by rebuilding from source yourself and comparing, and if you get the same bytes, the artifact is what it claims to be. Making this work requires controlling both the build environment and the provenance of artifacts, and most language package...

Where Do Specifications Fit in the Dependency Tree?

Your Ruby gem declares required_ruby_version >= 3.0. That constraint references the Ruby 3.0 language specification, expressed through the implementation version, checked against whichever runtime happens to be running, with no distinction between MRI and JRuby, and no connection to the specification document that defines what Ruby 3.0 even is. Runtimes at least show up somewhere in the tooling. Your HTTP library also depends on RFC 9110, your JSON parser on ECMA-404, your TLS implementation...

Forge-Specific Repository Folders

Git doesn’t know about CI, code review, or issue templates, but every forge that hosts git repositories has added these features through the same trick: a dot-folder in your repo root that the forge reads on push. The folder names differ, the contents overlap in some places and diverge in others, and the portability story between them is worse than you’d expect. A companion to my earlier post on git’s magic files. .github/ GitHub’s folder holds: workflows/ — GitHub Actions CI/CD configurat...

Similar Blogs

If you enjoy Andrew Nesbitt, you might also like these blogs.

F

Filippo Valsorda

words.filippo.io

Go security team member writing about cryptography and open source maintenance.

Seth Larson

sethmlarson.dev

Python security and open source infrastructure, plus retro gaming preservation and emulation.

T

the website of jyn

jyn.dev

Technical blog on build systems, Rust, developer tools, and the human side of software engineering.

L

Lukáš Lalinský

lalinsky.com

Creator of AcoustID and Picard, writing about music tech and Python.

Follow Andrew Nesbitt

If you care about how open source software actually gets distributed, maintained, and sustained, Andrew's perspective is essential reading.

Follow on Blogs Are BackVisit Blog
https://nesbitt.io/feed.xml