I used gerrit and zuul a while back at a place that really didn’t want to use GitHub. It worked pretty well but it took a lot of care and maintenance to keep it all ticking along for a bunch of us.

It has a few features I loved that GitHub took years to catch up to. Not sure there’s a moral to this story.

When someone is having a computer problem I ask them to restart first. Not because I think they don’t know to do it, but just in case. Some people don’t know. Sometimes people forget. Obvious advice is useful sometimes.

I think all those are a little true. But I’m mostly guessing. I’m happy to change my mind if anyone knows better.

Either way, these folks are my hero.

Years of experience

It’s hard. I love Harry Potter. I love Ender’s Game. But their authors hate the people I love. Not personally. They don’t know them and hate them anyway. It makes me sad. I want to share those books.

But I guess it’s better to share books by people who don’t hate my friends. I’ll always have Terry Pratchett and Neil Gaiman. I’ve been sharing The Golden Compass with my kids lately.

Harry Potter was good. But I can live without it in my life. I think I will keep sharing Ender’s Game though.

Good for them!

There’s a store near us the sells a giant metal T-Rex and I want it. But it’s a couple thousand dollars. I’m sure it’s worth it. But I can’t.

Yeah! Like that!

Usually I use glob patterns for test selection.

But I did use reges yesterday to find something else. A java security file definition.

I dunno about stdx as a solution. It’s just not a big enough list.

At work we build a big java thing and we:

• Manually import all dependencies, including transitive dependencies.
• Bless them by committing their hash to our repo. I think the cargo lock file does something similar.
• Audit the dependencies by hand. Sometimes that’s reading them all and sometimes thats less. Honestly, it’s often less. A few times it’s being members of the upstream community.
• Don’t allow running as root
• Drop all permissions we don’t need with seccomp including reading a bunch of stuff
• Sandbox each thread based on what’s on the stack. Untrusted code can do less stuff.

It’s still not enough. But it helps.

Maybe a web of trust for audited dependencies would help. This version of this repo under this hash. I could see stdx stuff being covered by the rust core folks and I’m sure some folks would pay for bigger webs. We pay employees to audit dependencies. Sharing that cost via a trusted third party or foundation or something feels eminently corporate. Maybe even possible.