I have spent more than 25 years at the operational center of enterprise infrastructure, open source software, and security, through the shifts to cloud, to automation, and now to AI. I write about the patterns that repeat across those shifts, and about the choices that look routine in the moment but end up defining what comes next.
My Substack. Essays and field notes on supply chain security, open source governance, and the pace of change AI is forcing on both.
Longer essays on software supply chain security, open source risk, and the compliance and governance decisions enterprises are now facing.
Selected essays
Why point-in-time controls like version pinning fail once the software you verified and the software that runs are no longer the same software.
A signed build attestation proves the process ran, not that the result is clean. The case for verifying provenance at runtime.
Open source projects are formalizing who is accountable for AI-generated contributions, and why that judgment cannot be automated away.