Content addressing in package managers
https://nesbitt.io/2026/07/07/content-addressing-in-package-managers.html
Content addressing in package managers
https://nesbitt.io/2026/07/07/content-addressing-in-package-managers.html
RE: https://mastodon.social/@grimalkina/116875316859643065
Pre-ordered!
Interesting read on the perceived immutability of #git tags and the issues that come with it:
https://arxiv.org/pdf/2606.31354
There now is a paper about what I witness every now and again: Upstreams retagging their releases and causing a mess.
You shouldn’t trust Trusted Publishing
https://blog.yossarian.net/2026/07/07/You-shouldnt-trust-trusted-publishing
Content addressing in package managers
https://nesbitt.io/2026/07/07/content-addressing-in-package-managers.html
The schedule for the Packaging Summit at EuroPython 2026 is up. July 13, full day in Kraków/Poland.
Late attendance requests and topic proposals are still welcome.
Public notes: https://hackmd.io/@jezdez/europython2026-packaging-summit
Details: https://programme.europython.eu/europython-2026/talk/SBREFN/
I had a chat with Lori Lorusso and Niko Matsakis about the Rust Foundation Maintainers Fund
Funding open source is a huge topic right now, the Rust Foundation has some great ideas. It will be exciting to watch this one grow and evolve
Tbh I was expecting the gearbox to go first, pleasantly surprised that it survived.
First track day with the new turbo… blew a drive shaft 🥲
This Week in Package Management: 4 July 2026
https://nesbitt.io/2026/07/04/this-week-in-package-management.html
This Week in Package Management: 4 July 2026
https://nesbitt.io/2026/07/04/this-week-in-package-management.html
⚠ Several critical #Guix daemon vulnerabilities and a minor vulnerability in ‘pull’ and ‘time-machine’ have been fixed: time to upgrade! ⚠
https://guix.gnu.org/blog/2026/guix-substitute-pull-vulnerabilities/
We’ve been working on improving the experience for conda users who need packages from both conda and PyPI, and we’re excited to invite you to try it!
🚀 With the latest conda release, you can now opt into the conda-pypi beta, which enables conda to discover, install, and manage Python packages from PyPI natively alongside your conda packages.
Learn more: https://conda.org/blog/2026-06-25-bridging-conda-and-pypi-ecosystems
The CRA is not about open source - https://nesbitt.io/2026/07/01/the-cra-is-not-about-open-source.html
RE: https://mastodon.social/@andrewnez/116845067016479290
Yep, this sounds like a good prediction of the effects of the CRA on open source: "A haulage firm told it is answerable for the state of every bridge on its route will plan routes with fewer bridges on them before it considers starting a bridge-repair division."
@andrewnez I started out slightly optimistic about CRA being an avenue for companies to (financially) support the projects they rely on, but as I personally see a complete lack of interest in this from companies even though I can sell it to them and we're approaching the date CRA goes live for real, I can only conclude that the money for CRA compliance will, as usual, end up in some middle mens' pockets. Not in the open source projects'.
The CRA is not about open source - https://nesbitt.io/2026/07/01/the-cra-is-not-about-open-source.html
A bit of light reading cc @adamshostack