Package Manager Security

It happened again. A group of hackers targeted another cryptocurrency wallet via a malicious NPM package. The good news is that this attempt was foiled.

Read More

Discuss amongst yourselves on GitHub

github oss tip suggest edit

When I ran the Client Apps team at GitHub, I wrote a weekly “newsletter” to the team. I named it the CACAW which stood for Completely Awesome Client Apps Weekly. The name gave me an excuse to highlight each letter with a crow themed image.

Read More

Suggesting Changes on GitHub

github oss tip suggest edit

When you see a small bug or error in a repository, a common refrain is to submit a pull request to fix it. To submit a pull request with a correction is an act of kindness to the maintainers. It allows the maintainers to review the change and accept it with a click.

Read More

GitHub for Dummies

github oss books suggest edit

Millions of years ago, Zach Holman gave a great talk about How GitHub uses GitHub to build GitHub. The talk focused a lot on GitHub’s approach to coordinating work on github.com, the software.

Read More

Maintainer burnout and package security

Write Every Day

personal meta suggest edit

My head is crammed with ideas just jostling to see the light of day. I imagine them pounding the inside of my cranium screaming LET US OUT!. And in response, I say the same thing I always say. Not yet. It’s counter productive.

Read More

Better Security Through Package Fingerprints

It seemed like an innocuous enough update. Someone yanked bootstrap-sass ruby gem version 3.2.0.2 and published 3.2.0.3. Ruby gems more or less follows the SemVer versioning scheme (albeit with an extra version number). An increment of the patch number communicates that this release should be a safe bug fix update. The command, bundle update --patch, should be safe as it updates to the next patch version which should be safe.

Read More

Package Author Identity through Social Proofs

Why NuGet Package Signing Is Not (Yet) for Me

Strap in for a rollicking exploration of the NuGet package signing feature. What is the feature and what is it good for? And does it live up to its purpose? Yes, my friends, I know how to party.

Read More

Managing Risk

Every project risks failure to some degree or other. There’s the risk of delivering late. The risk of not being able to deliver at all. Or the risk that when you do deliver, it solves the wrong problem. It’s a risky business, but not the kind with Tom Cruise lip-synching in his underwear. When you work on a project, it’s important to be aware of and manage risk. There are several good tools for doing this.

Read More

Include my Git Aliases

git aliases suggest edit

I’m a big fan of Git aliases as a means of improving your developer workflow when using Git. They are great for automating common tasks. They also can help make sense of the byzantine set of options Git has.

Read More

SemVer's New Maintainers

semver suggest edit

For several years now, I’ve been the maintainer of the SemVer specification. It’s been an honor and privilege to be in this position. But I’ll be honest, it’s also an enormous responsibility and a big pain in the ass. This is why I’m happy to say that I am stepping down as the maintainer of SemVer and passing the torch to a team of maintainers better suited to direct its future. Now the pain (and honor, don’t forget the honor) can be distributed among multiple people, and not focused on just one.

Read More

New Year, New Job

GitHub had about 50 employees when I joined back in December 2011. Seven years later, it blew past 950 people and Microsoft acquired it for $7.5 Billion. What would you say if I told you it could have been way more valuable than that?

Read More

Increase your giving by 50% for free

What if I told you there’s a way you can increase your giving by up to 50% or more (depending on your tax bracket) at no cost to you? For every dollar you put in, you’d have $1.50 to give to a charity of your choice? Interested? Read on then.

Read More

Phil Haack is no longer a GitHubber

personal work suggest edit

It used to be a tradition at GitHub to announce new hires with a blog post with the pattern, “So and so is a GitHubber.” Each post would be accompanied by an image.

Read More

Steal My Blog Design

A name like Haack does not make me destined to win awards as an outstanding designer. I’ve come to grips with that. I’m not terrible, mind you. I’d say my skill level is somewhere in the ballpark of slightly above Geocities and closely approaching the aesthetics of Craigslist, on a good day.

Read More

An adventure in CSS with column lists

css design suggest edit

Sit back and relax as I regale you with a harrowing account of trying to do something straightforward with CSS. Ha! Straightforward. How silly was I to think that. As they say,

Read More

The Problem of Package Manager Trust

nuget security suggest edit

UPDATE April 3, 2019 Several years after I wrote this post, NuGet added a package signing feature. I wrote a blog post that takes a close look at the feature.

Read More

Land that first programming job

How does a person land their first job as a developer these days?

Read More

Caribbean Developer's Conference

Picture a developer’s conference held at a resort on a tropical island. What comes to mind? An endless supply of Piña Coladas? Sand abrasions in all the dark crevices of your body? Or perhaps, if you’re a developer, you imagine sitting on the beach, staring out at the ocean as a nice respite between sessions.

Read More