Blog Posts

Open Source Software (OSS) has an onboarding and a retention problem. These problems are connected, but it’s not clear which is the cause versus the effect. Much of this is based on a conflict of goals and personalities between the different types of OSS contributors. Student The student is looking to leverage their OSS contributions as part of their eduction and to enhance their resume. Students tend to ask for lots of support from maintainers because they are frequently not users of the project and don’t understand how the project works or why it is designed the way it is. Additionally, they will frequently shotgun their requests to lots of projects, quickly abandon any project where they work seems too difficult or the maintainers are too slow to respond. And once they have content for their resume, or credit in their course, they quickly vanish. ...

The financial industry has a concept of “know your customer” to prevent financial fraud. The concept is that fraudsters do not want transactions linked back to their identity. There’s a similar push happening in Open Source security, to verify the identities of contributors before allowing their commits. The suggestion is that this could prevent an xz style attack by requiring in person verification, such as a pgp key signing meeting. ...

Reproducible builds are an idealistic solution to many supply chain security challenges I see today. They eliminate an entire chain of attacks, from a compromised build infrastructure (see SolarWinds) to a compromised artifact distribution. But they are only a piece of the solution, and they are rarely implemented today. Here’s my take on what a complete solution would look like, and why no one is doing it. Theoretical Solution An end-to-end solution needs multiple checks at each point along the software deliver path. The goal is to eliminate any single point that can be compromised in the build pipeline. ...

It seems like every blog needs to start with an introduction, so here’s mine. I’m Brandon Mitchell, a currently semi-retired OSS developer. My career started in consulting and contracting in the Enterprise Management space (think sysadmin but for large distributed networks using expensive software). The second phase of the career shifted into the Docker container, cloud native, and DevSecOps ecosystems. As time went on, I spend more of my free time maintaining open source software until I realized I was working two jobs, getting paid for one, while loving the other. So for the time being, I’m making due without a paycheck, and enjoying giving back to the community that I owe so much of my career to. ...