Skip to content

Instantly share code, notes, and snippets.

View andrew's full-sized avatar
🚙
I may be slow to respond.

Andrew Nesbitt andrew

🚙
I may be slow to respond.
3.4k followers · 3.5k following
View GitHub Profile
@andrew
andrew / eu-feedback.txt
Created January 29, 2026 11:48
The Commission's call for evidence rightly identifies European reliance on non-EU digital technologies, but focuses primarily on cloud infrastructure, AI, and end-user applications. There's a critical layer missing: the dependency intelligence infrastructure that sits between source code hosting and application deployment.
Open source software underpins 70-90% of all code in the digital economy. But the infrastructure that tracks, analyses, and secures that software is almost entirely US-controlled: package registries, vulnerability databases, dependency graphs, software composition analysis tools, and automated update services. A European company can self-host Forgejo for code hosting and still depend entirely on US services for vulnerability scanning, dependency updates, license compliance, and SBOM generation.
The M×N Problem
Package management has an M×N problem. Every tool implements support for every ecosystem separately. When a new language ships a package manager, it goes to the back of every queue
@andrew
andrew / mastodon_followers.rb
Created January 27, 2026 13:26
require "net/http"
require "json"
require "uri"
require "digest"
require "fileutils"
INSTANCE = "https://mastodon.social"
USERNAME = "andrewnez"
CACHE_DIR = File.join(__dir__, ".cache")
@andrew
andrew / gittuff-git-pkgs.md
Last active January 24, 2026 07:53

git-pkgs+ gittuf integration investigation

This document explores how git-pkgs and gittuf could integrate to enable dependency-aware security policies for Git repositories. The goal: let gittuf enforce policies like "adding new runtime dependencies requires two approvals" or "block dependencies with critical CVEs" by leveraging git-pkgs' understanding of package ecosystems.

What git-pkgs does

git-pkgs is a Git subcommand for tracking package dependencies across git history. It answers questions like "when was this dependency added?", "who added it?", and "what changed between these two commits?" with a unified interface across 40+ package ecosystems.

git-pkgs was recently rewritten from Ruby into Go, partly to enable this kind of integration (importable as a Go library) and partly to simplify deployment as a single binary. It's in early development and can be adapted to work well with gittuf based on feedback.

@andrew
andrew / Toss a Coin to Your Maintainer.txt
Created January 18, 2026 11:39
Toss a coin to your maintainer,
O guardian of the tree,
For the forests of dependency
Are darker than they seem.
He patches through the nightfall,
He merges through the dawn,
While the auditors ride eastward
To demand another form.
@andrew
andrew / threat_models.csv
Created July 2, 2025 18:41
threat model files and documentation found in public github repos
We can make this file beautiful and searchable if this error is corrected: It looks like row 6 should actually have 6 columns, instead of 4 in line 5.
Repository,Owner,File Path,HTML URL,Size,Downloaded
jaegertracing/jaeger,jaegertracing,THREAT-MODEL.md,https://github.com/jaegertracing/jaeger/blob/0cf2b7bc16f8acb94fa0f427c12f7868de667cfa/THREAT-MODEL.md,,Yes
backstage/backstage,backstage,docs/overview/threat-model.md,https://github.com/backstage/backstage/blob/9f67ede0651a187ed890df3de4caee941e078c95/docs/overview/threat-model.md,,Yes
dotnet/msbuild,dotnet,documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,https://github.com/dotnet/msbuild/blob/e4dc6152ef4332d8736cadc189044aa3446956f4/documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,,Yes
projectcontour/contour,projectcontour,site/content/resources/security-threat-model.md,https://github.com/projectcontour/contour/blob/0119d761110441ad3a4ed9406e339eb28ead5da7/site/content/resources/security-threat-model.md,,Yes
cncf/tag-security,cncf,community/assessments/projects/tikv/tikv-threat-model.md,https://github.com/cncf/tag-security/blob/e9e846978149d349300fccb15feff43e58def8ad/commu
@andrew
andrew / ruby-travis.md
Last active September 22, 2024 15:27
critical ruby gems with .travis.yml files
@andrew
andrew / oss-tiers.md
Last active March 24, 2024 21:40
@andrew
andrew / popular_repository_urs.txt
Created August 22, 2022 12:16
@andrew
andrew / maven-repos.txt
Created July 22, 2022 13:26
Working, indexable maven repos as of July 2022
http://artifactory.javassh.com/opensource-releases
http://artifactory.javassh.com/opensource-snapshots
http://artifacts.metaborg.org/content/repositories/releases
http://artifacts.metaborg.org/content/repositories/snapshots
http://bp-cms-commons.sourceforge.net/m2repo
http://files.couchbase.com/maven2
http://java.freehep.org/maven2
http://maven.ecs.soton.ac.uk/content/repositories/openimaj-releases
http://maven.ecs.soton.ac.uk/content/repositories/openimaj-snapshots
http://maven.inria.fr/artifactory/malai-public-snapshot
@andrew
andrew / go-modules.json
Created March 28, 2022 11:54
list of names of go modules from proxy.golang.org up to 28 march 2022
This file has been truncated, but you can view the full file.
["golang.org/x/text",
"golang.org/x/crypto",
"github.com/FiloSottile/mkcert",
"github.com/DHowett/go-plist",
"software.sslmate.com/src/go-pkcs12",
"golang.org/x/net",
"golang.org/x/exp/notary",
"golang.org/x/sys",
"git.apache.org/thrift.git",