JustinG

Updating my resume to more explicitly have “fixing software”.

No worries, understand the annoyance of getting things to work on all screen types, especially when brand new. Just flagging it.

Only shows map on iPhone safari if turned horizontal, took a bit to figure out

Lessons learned from oapi-codegen's time in the GitHub Secure Open Source Fund As noted in GitHub's post, `oapi-codegen` was one of the projects taking part in the third GitHub Secure Open Source Fund session. I'd like to take a moment to reflect on the program, and some learnings I've taken from it. One of the quotes I shared at the end of the program summed up my time: > Having time dedicated to following best practices has been invaluable☆(well, $10k) ## Why did we join the fund? `oapi-codegen` is a project that takes an OpenAPI specification and generates Go code for either interacting with that API via an autogenerated client, or generates scaffolding for a number of HTTP servers and web frameworks to reduce the implementation burden, as well as generating types for API request/responses. Given the project is in a fairly privileged position - interacting with every HTTP request/response on either client or server-side, and likely exposed to sensitive data and credentials - securing the project is very important. As a code generator, `oapi-codegen` can generate a fair bit of code for you to commit to your project. But does everyone review the generated code? _Hopefully yes_ 🫣 But given we can't guarantee it, we want to make sure that nothing dodgy could land in folks' codebases. ### Extending the maintainer pool On top of this, for the last ~2 years, I've been effectively maintaining `oapi-codegen` on my own. As I've written about a couple of times, maintaining a large project like this is fairly time consuming and difficult, _especially_ if it's only you. Additionally, `oapi-codegen` isn't a single project, and other child projects, such as middleware for request/response validation, or conversions between types at runtime, also need maintenance. The project is sufficiently complex, led by user examples, and has a lot of usage that can make it hard to maintain for $0/month. Over the last few years I've been very appreciative of a few companies sponsoring the work, but the project requires more hours of work, especially given the many large companies using it, but giving nothing back. While looking at options for increasing the number of folks who maintain the project, a key area I wanted to focus on was to make sure that the security of the project would not be compromised. This was, in fact, the key reason I submitted `oapi-codegen` to the program - I wanted support in making sure that I'd done my due diligence to make sure we were setting the project and its users up for success as we introduced new members to maintain the project. For instance, adding a new collaborator with Write access onto the repository would, by default, allow the pushing of a Git tag, which would then be a released Go version that automated tools like Renovate would happily start upgrading folks to. Alternatively, the new collaborator able to approve a PR and merge it onto the `main` branch would also be treated as a version that's ready to be used, as we recommend pinning to commits off `main` to get changes before a release. I love that Go provides a straightforward process for users to get updates, but making sure there was a level of control and protection for our users was important, as I've worked hard to build confidence with our users. Having dedicated time (and money) to fund the work to focus on security was a very big mentally, as it meant I didn't feel "guilty" for not looking at PRs or Issues raised by users, and instead focussing on security as a dedicated pool of time. With this in place, we are much more able to take on additional collaborators and maintainers. ## Understanding our gaps Over the years, I've worked in and around supply chain security, and on efforts to ensure the enterprise I worked for has had good security posture. I would say I have a fairly good understanding of good GitHub permissions models, areas to focus to make sure that bad actors can't leverage lax permissions, and experience with some of the tools to help audit usage. But the reality of only having one human maintaining the project was at odds with this - enforcing code review of all PRs worked for external contributor PRs, but when I needed to make changes, I didn't have a second reviewer. Since 2024, I've been working towards the OpenSSF Best Practices "passing" grade badge for `oapi-codegen`, and working towards following best practices there. As with many parts of the industry, there's often multitudes contained in a single area, and security is absolutely not the exception to the rule. Naturally there were gaps we had in other areas that we knew we were lacking in, and areas that we _didn't_ know we were lacking in. During the program, we got a chance to dig into different areas with a mix of talks, workshops and Q&A sessions, looking at areas like threat modelling, fuzzing and how to handle a security advisory (which may then become a CVE). Having the time to work on the program meant that we could address some of the security gaps, not limited to: * Setting up a security policy for the organisation * Including explicitly documenting which versions are supported, how to report a security issue, and how we treat **??**. * Tightening branch protection rules and/or migrating to Repository Rulesets * Setting up `govulncheck` with GitHub Code Scanning alerts * Setting up collection of OpenSSF Security Scorecard reports data * Enforcing GitHub Advanced Security checks As well as these concrete steps, we have also made less outwardly visible steps, like work towards a threat model for the project. ## Access to more of a community It's also been nice to have a place to chat, complain and brainstorm with other maintainers who are in a very similar position. Within the group, there was a good spread of projects' security levels, and everyone was at different points along the spectrum - more secure in some ways, but with gaps in other areas, leaving everyone feeling fairly equal overall. Although there is the GitHub maintainers community, which I've used in the past to field questions from other maintainers, it's quite a large group, and especially when talking about slightly more sensitive things like security, it's been nice to have a small trusted group. ## Can an inactive project be more secure? This is a slightly tongue-in-cheek comment, but I thought it'd be worth noting that given `oapi-codegen` has recently received slightly less maintenance it _could_ be argued that we're more secure for it 🤓 With reduced merging of community contributions (while still keeping an eye on security updates) it's meant that we're at least not merging potentially risky code changes. That's not where we want to be, however, as we want to be both secure _and_ well maintained! ## Great teachers The team at GitHub were great in taking us through the program in a mix of different formats - synchronous and asynchronous Q&A, workshops, presentations - and were all greatly knowledgeable and there was so much to learn. Working to upskill folks at a range of experience levels and security understanding is a tough job, but they made it seem like it was straightforward! Thanks again everyone 💜 ## Looking forward Now we're able to talk about our time in the program publicly, expect to see some more learnings shared! If you're interested in hearing about anything in particular, let me know!

Sharing some thoughts about the GitHub Secure Open Source Fund and how I spent the time with `oapi-codegen`.

It’s been a bit since I saw a good WASM magic trick, this stuffing of an LLM into a font is delightful.

Nice summary of how the economics / ergonomics of open source contributions is changing, partially due to generative AI.

I haven’t overlaid house damage datapoints on new map yet, but it seems to follow damage patterns less than I expected? Example: it has more floodplain along little white oak where no flooding historically. Curious if part of reason is that area has escaped worst rain concentrations in past events?

also, remember what 100-year flood vs 500-year flood means... it's a probability of occurrence. Consider the flood probability over the time living in the location, like during a 30-year mortgage.

Love these types of maps for social media as the algorithms tend to show you what you already follow or others follow - not weird new niches to explore far from home.

It is feeling similar to how there’s a point in time after atomic test impacts show up in…..everything.

What’s a good name for the llm version of Anthropocene?

Anthropic's newest AI model uncovered 500 zero-day software flaws in testing The AI company sees the model's advancements as a major win for cyber defenders in the race against adversarial AI.

I’ve built things that help to understand security posture & community health of open source leveraging number of data points, wonder if new one should be most commits before or after AI code assistants?

www.axios.com/2026/02/05/a...

Also some please do this side project so I don’t. It’s just getting easier and harder to resist.

A #geology / #code side project I’ve thought should be possible for years is global map of all rock outcrops near roads via street view images. Would be super useful for field trips and geotechnical things. This basically does it for New York City. Search for “rock outcrops”.

Here are charts highlighting the destruction of American science by Trump and the Republicans. The red lines are now.

With those safeguards in place though, usage of skills and such could explode as agents or an MCP app could go off search a package registry index & find best agent.md , instructions, skills, etc. for any given scenario and add that context thereby constraining outputs to improve performance.

Up until recently most of those files were written by hand or copied and pasted by hand into repos. Once you start having agents go out and find them for you or themselves, you need more safety guardrails.

AGENTS.md AGENTS.md is a simple, open format for guiding coding agents. Think of it as a README for agents.

I’m not at all sure it will happen, but I could imagine sustained spike in malware in agent.md, instructions.md, & similar eventually driving those files into being more like packages with a package registry, security scanning, and gates.

Recent malware in agent.md: theaitimes.org/articles/cla...

Schumer & Jeffries lay out the Democratic demands for a DHS funding deal in a letter to the top Republican leaders

Stretched this idea many steps too far and wrote a blog post about how we can modify the parameters of the original Turing test to map modified game play dynamics to different AI-human interactions we experience today: coding assistants, Facebook bots, etc. justingosses.com/blog/generat...

Pebbles

Calming thread to break up the doom scrolling

I am. But there are three things at play here regarding ICE collecting private data. Quick rundown on the issue, why you should be paying attention, and what I'm doing about it:

So we’re going to need Privacy Act But With Teeth after all this is over

Our paper on the mysterious Devonian organism Prototaxites has now finally been published! See the paper here (www.science.org/doi/10.1126/...) and our explainer thread below!
Prototaxites reconstruction by Matt Humpage

This is, in my opinion, not only the correct moral/ethical/legal position but also the correct political framing. Everyone can see the agency is out of control; everyone can see that it is constantly violating human rights. "Scrap it and start over" is the moderate position.

Local news Fox9 reports:

ICE detains Minnesota city worker, a snow plow driver, and transfers him to detention facility in Texas. Where he remains.

"He had every federal authorization to be here," public works director in interview.

hat tip: @longtimehistory.bsky.social

Feels like you’re saying the PM and engineering role will in many cases collapse into the same role as those decisions increasingly need to be made by same person at once rather than being passed back and forth.

Really appreciate these security guides by @eff.org Shared them with family multiple times. This one is about protests but they have general purpose ones also good in regard to stopping advertisers from selling your data.

Back of Red t-shirt with white text of “The primary role of the geologist is to recognize the existence of phenomena before trying to explain them”

Red t-shirt with white words of “Franklin & Marshall geosciences” and rock hammer and pick logo.

Geologists put it on t-shirts.

Courts have put constraints on them in some cases, especially with national guard, so they move partly because (1) rulings sometimes only apply locally (2) taking away the forces can stop certain cases from proceeding that they don’t want to lose.