@Marcus@k8s.social Huh, I hadn't noticed they too changed their license. We're going to need tools to help avoid projects not hosted by a foundation in our supply chains if this keeps up. Maybe some Rego rules in @www.jvt.me@www.jvt.me 's DMD :)
https://dmd.tanna.dev/
Announcing my first podcast appearance on Changelog and Friends, talking about salary history, the IndieWeb, ADHD and dependency-management-data, among other things.
Quantifying your reliance on #OSS by
@www.jvt.me@www.jvt.me
They started to create a dependency tree to determine whether they should take part in #hacktoberfest. But it's not always βοΈπ as in some cases all depends on a very fragile library ([xkcd comic#2347](https://xkcd.com/2347/))
Understanding how your business depends on software is important from a few points:
- how am I affected by migrating away from #OpenSource
- usage of unwanted libraries
- understand usage of libraries and their versions
- discover unmaintained, deprecated or vulnerable software
But all that applies to #InnerSource too!!
- how maintained are the dependencies?
- how are the security practices followed in the supply chain?
How can we do it? It can be done using #OpenSource with dependency-management-data https://dmd.tanna.dev/ with a CLI and web interface. It uses a #sqlite db, and provides a graphQL api too. And without vendor locking!
Dependabot API helped him to get some insights to know where contribute that were helpful to the company he was working. But it was not enough information. endoflife.date helped him to find what's soon to expire and other similar websites for other info. `dmd` helps in an easier way and it uses #renovate and other tools and services to get all the data for the model.
Then you can query the db with what you are interested. It comes with some pre-baked queries.
For #InnerSource you could define advisories and policies for when you don't have open APIs to query for that information. For example, flag when some software is using an old git server instance or set a set of code owners, or how many customer facing is using an outdated dependency.
Their [website has some case studies with more examples](https://dmd.tanna.dev/case-studies/).
#SOOCON24
I was pretty chuffed with adding these Slack notifications (via Goreleaser and go-semantic-release) for releases to #DependencyManagementData which flag when there are breaking changes in the release! Makes it much easier to see at a glance, especially as there's a lot of changes going into it π€
Why I think dependency scanning tooling should be providing as much data as possible about scanned projects, to allow other tooling to make better inferences about the data.
Attached: 1 image
TIL about https://endoflife.date from @www.jvt.me@www.jvt.me!
Part of a great talk about understanding your dependencies at TechMids.
For those who didn't make it to #DevOpsDays London, or who did and want to watch it again, my talk on dependency-management-data is now live on YouTube ππΌ
A writeup of my talk at DevOpsNotts, about the dependency-management-data project and how to use it to understand your internal and external dependencies.
Was quite fun using github.com/saschagrunert/demo, which is definitely now a tool I'll be reaching for whenever I need to script a demo i.e. for my website, and it's given me some handy integration tests to run in the pipeline too!
Made some changes to the dependency-management-data landing page to hopefully make it a bit better in explaining what it's for, as well as including autogenerated docs from Cobra so you can read the command's docs and capabilities without needing to download it!