Quantifying Nebraska
In 2020, xkcd published Dependency, which posited that "all modern digital infrastructure" is ultimately transitively dependent on "a project some random person in Nebraska has been thanklessly maintaining since 2003".
How can we find these projects and ensure that their maintainers get the thanks and — more importantly — the resources they need?
(Almost) every Python project depends on packages, which depend on packages, which depend on packages, How do we find the ones that might need our help?
Spoiler alert: there's no perfect quantification. (At least to my knowledge.)
But given that, how can we use tooling designed for supply chain security — SBOMs, scorecards, code forge metrics — and use those to identify the packages that we depend upon that may be at risk, that are load bearing for our projects, and that we might be able to help in ways that are more targeted than just throwing money at the problem?
(Although, also, throwing money at problems can be useful. Just saying.)
There's lots of talk of making supply chains more secure. Let's make sure we also make them more sustainable as well.
Adam works as a security-focused software developer at the Rust Foundation working on ecosystem security, especially around improving supply chain security for crates.io and Rust releases.
Professionally, his history includes stints as a developer at New Relic, deviantART, and Sourcegraph, while his open source work includes being a project member of Rust and PHP.
In his spare time, he plays cricket, kayaks, speaks Spanish extremely badly, throws tennis balls for his golden retriever, and tries to convince people that his Australian accent is actually flawless Canadian.