Personal blog built with Jekyll and hosted on GitHub Pages.
I write about package management, software supply chain security, and open source infrastructure. I'm building Ecosyste.ms, a collection of open datasets and tools for understanding and improving critical open source infrastructure.
- gittuf - a signed log for git refs
- Skills Registry Threat Models
- The Infosec Phrasebook
- This Week in Package Management: 30 May 2026
- Composer’s dependency policies
- Protestware for coding agents
- Package managers that package package managers
- CHAOSS Metrics in 2026
- GitHub Actions security in Python packages
- Signing is for the bad days