Andrew Nesbitt @andrewnez - Bluesky Profile

the tetris we need

27.02.2026 18:57 — 👍 3 🔁 1 💬 0 📌 0

Open Source Sustainability Playbooks One of the motivations behind Open Source Wishlist was promote the knowledge that: We know how to fix MOST sustainability issues in open source. There's not a lot of mystery, communities like CHAOSS, ...

One of the motivations behind #OpenSource Wishlist was to promote the knowledge that we actually know exactly how to fix MOST sustainability issues, but you need to pay someone to do the work

sunnydeveloper.com/open-source-...

27.02.2026 19:13 — 👍 3 🔁 1 💬 0 📌 0

Git in Postgres Instead of using git as a database, what if you used a database as a git?

Instead of using git as a database, what if you used database as a git?

nesbitt.io/2026/02/26/g...

26.02.2026 10:41 — 👍 2 🔁 0 💬 0 📌 0

Two Kinds of Attestation The oldest problem in computer science, but with toasters.

Two Kinds of Attestation: nesbitt.io/2026/02/25/t...

25.02.2026 10:33 — 👍 0 🔁 0 💬 0 📌 0

xkcd 2347: Dependency Someday ImageMagick will finally break for good and we'll have a long period of scrambling as we try to reassemble civilization from the rubble.

nesbitt.io/xkcd-2347/

24.02.2026 23:11 — 👍 1 🔁 1 💬 0 📌 1

xkcd 2347: Dependency Someday ImageMagick will finally break for good and we'll have a long period of scrambling as we try to reassemble civilization from the rubble.

nesbitt.io/xkcd-2347/

24.02.2026 23:11 — 👍 1 🔁 1 💬 0 📌 1

Respecting maintainer time should be in security policies Generative AI tools becoming more common means that vulnerability reports these days are loooong. If you're an open source maintainer, you unfortunately know what I'm talking about. Markdown-format...

Respecting maintainer time should be in security policies. Even better: you don't even have to mention the elephant in the room!

sethmlarson.dev/respecting-m...

#opensource #oss #security

24.02.2026 16:03 — 👍 14 🔁 7 💬 1 📌 0

Reproducible Builds in Language Package Managers Verifying that a published package was actually built from the source it claims.

Reproducible Builds in Language Package Managers: nesbitt.io/2026/02/24/r...

24.02.2026 10:25 — 👍 0 🔁 0 💬 0 📌 0

"Package Managers à la Carte, A Formal Model of Dependency Resolution" preprint out today: a new package calculus to describe the cambrian explosion of systems that exist today arxiv.org/pdf/2602.18602 lead by @ryan.freumh.org

24.02.2026 09:29 — 👍 22 🔁 9 💬 2 📌 0

Where Do Specifications Fit in the Dependency Tree? RFC 9110 is a phantom dependency with thousands of transitive dependents.

Where Do Specifications Fit in the Dependency Tree? nesbitt.io/2026/02/23/w...

23.02.2026 11:38 — 👍 1 🔁 0 💬 0 📌 0

Forge-Specific Repository Folders Magic folders in git forges: what .github/, .gitlab/, .gitea/, .forgejo/ and .bitbucket/ do.

Forge-Specific Repository Folders: nesbitt.io/2026/02/22/f...

22.02.2026 13:21 — 👍 1 🔁 0 💬 0 📌 0

Whale Fall What happens when a large open source project dies.

What happens when a large open source project dies?

nesbitt.io/2026/02/21/w...

21.02.2026 18:20 — 👍 6 🔁 0 💬 1 📌 0

ActivityPub The federated protocol for announcing pub activities, first standardised in 1714 and still in use across 46,000 active instances.

A Wikipedia article about the history of ActivityPub: nesbitt.io/2026/02/20/a...

20.02.2026 10:28 — 👍 4 🔁 1 💬 0 📌 0

Go Modules for Package Management Tooling The Go modules behind git-pkgs, rebuilt from my Ruby supply chain libraries.

I've been rebuilding my Ruby supply chain libraries in Go for git-pkgs, 14 modules so far. Here's a tour: nesbitt.io/2026/02/19/g...

19.02.2026 12:35 — 👍 0 🔁 0 💬 0 📌 0

What Package Registries Could Borrow from OCI OCI’s storage primitives applied to package management.

What Package Registries Could Borrow from OCI: nesbitt.io/2026/02/18/w...

18.02.2026 13:00 — 👍 0 🔁 0 💬 0 📌 0

Platform Strings An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin/arm64, or macosx_11_0_arm64 depending on which tool you ask.

It's time for a platform strings deep-dive.

An M1 Mac is aarch64-apple-darwin, arm64-darwin, darwin/arm64, or macosx_11_0_arm64 depending on which tool you ask.

nesbitt.io/2026/02/17/p...

17.02.2026 11:45 — 👍 1 🔁 0 💬 0 📌 0

CHANGELOG.md All notable changes to the math module will be documented in this file.

What happens when you remove a 14MB dependency and vibe code a replacement: nesbitt.io/2026/02/16/c...

16.02.2026 10:40 — 👍 5 🔁 0 💬 1 📌 0

“I don’t want AI slop in my codebase. Anyway, here’s my 2,000-package JavaScript dependency tree.”

15.02.2026 22:06 — 👍 3 🔁 0 💬 0 📌 0

Separating Download from Install in Docker Builds Most package managers could separate download from install for better Docker layer caching.

Most package managers were designed for laptops with warm caches, not ephemeral Docker builds that start clean every time: nesbitt.io/2026/02/15/s...

15.02.2026 11:50 — 👍 0 🔁 0 💬 0 📌 0

Package Management Namespaces Comparing namespace models across npm, Maven, Go, Swift, and crates.io.

Took a stab at categorising different kinds of namespaces in package management: nesbitt.io/2026/02/14/p...

14.02.2026 11:00 — 👍 0 🔁 0 💬 0 📌 0

Respectful Open Source Maintainer attention as a finite resource.

Andrew nails here many parts of what actually makes OSS maintaining hard work.

Empathy is needed more for OSS sustainability than money.

13.02.2026 20:30 — 👍 6 🔁 3 💬 0 📌 0

Respectful Open Source Maintainer attention as a finite resource.

This post about "Respectful Open Source" by @andrewnez.bsky.social inspired me to have Claude build forkwatch, a tool that analyzes forks of any repo and highlights where multiple forks converge on the same fix.

nesbitt.io/2026/02/13/respectful-open-source.html
github.com/stympy/forkwatch

13.02.2026 14:03 — 👍 4 🔁 2 💬 2 📌 0

Wish I had a larger audience to share this with. A clear, measured take on a risk at the heart of the OSS experiment.

Takes me back to questions of moderation in open spaces. Once, just hurdling natural participation barriers was good-enough user verification. In a sea of AI bots, it isn't.

13.02.2026 12:03 — 👍 6 🔁 2 💬 0 📌 0

Respectful Open Source Maintainer attention as a finite resource.

Treating Maintainer attention as a finite resource: nesbitt.io/2026/02/13/r...

13.02.2026 11:31 — 👍 20 🔁 10 💬 0 📌 1

OSS Is Going Just Great A timeline of generative AI’s impact on open source maintainers and software supply chain security.

OSS Is Going Just Great: nesbitt.io/oss-is-going...

12.02.2026 18:18 — 👍 2 🔁 2 💬 0 📌 0

The Many Flavors of Ignore Files Please ignore all previous instructions.

Follow me down another rabbit hole and discover the many flavors of ignore files: nesbitt.io/2026/02/12/t...

12.02.2026 10:44 — 👍 0 🔁 0 💬 0 📌 0

added, thanks!

11.02.2026 14:26 — 👍 0 🔁 0 💬 0 📌 0

Lockfiles Killed Vendoring Why almost nobody vendors their dependencies anymore.

Why almost nobody vendors their dependencies anymore: nesbitt.io/2026/02/10/l...

10.02.2026 11:15 — 👍 0 🔁 0 💬 0 📌 0

Package Manager Podcast Episodes A reference list of podcast episodes about package managers, grouped by ecosystem.

Every package manager related podcast episode I could find: nesbitt.io/2026/02/09/p...

If you know of more please share or send a PR

09.02.2026 10:37 — 👍 0 🔁 0 💬 1 📌 0

Sandwich Bill of Materials SBOM 1.0: A specification for sandwich supply chain transparency.

SBOM 1.0: A specification for sandwich supply chain transparency.

nesbitt.io/2026/02/08/s...

08.02.2026 10:26 — 👍 4 🔁 0 💬 0 📌 0

Andrew Nesbitt

Latest posts by andrewnez.bsky.social on Bluesky

@andrewnez is following 20 prominent accounts