https://blog.vnykmshr.com/writing/tags/open-source/Recent content in Open-Source on vnykmshrHugoenFri, 27 Mar 2026 00:00:00 +0000https://blog.vnykmshr.com/writing/bug-1465/Fri, 27 Mar 2026 00:00:00 +0000https://blog.vnykmshr.com/writing/bug-1465/<p>Three bugs walk into a triage queue.</p> <p>A stack overflow. Symlink loop in tarball parsing, unbounded recursion, process crashes. Build a PoC, trace the call chain, write the report.</p> <p>&ldquo;Duplicate of #1465&rdquo;</p> <p>Memory exhaustion. String replace in an expression engine, exponential allocation, no cost limit. Different repo, different CWE, different everything. PoC, trace, report.</p> <p>&ldquo;Duplicate of #1465&rdquo;</p> <p>SQL injection. Template parameter escaping that wraps but doesn&rsquo;t escape. Different repo again. PoC, trace, report.</p>https://blog.vnykmshr.com/writing/what-compounds/Fri, 20 Mar 2026 00:00:00 +0000https://blog.vnykmshr.com/writing/what-compounds/<p>Something shifted. Not the AI thing &ndash; everyone noticed that. What counts as proof.</p> <p>Used to be your resume, your title, the logo. Still opens doors. But the gap between &ldquo;I can do X&rdquo; and &ldquo;here&rsquo;s the commit&rdquo; got wide enough that both sides feel it. A merged PR has a commit hash. A CVE has a number. A library someone depends on has a git log. Credentials got easier to claim. Artifacts didn&rsquo;t.</p>https://blog.vnykmshr.com/writing/the-invitation/Wed, 18 Mar 2026 00:00:00 +0000https://blog.vnykmshr.com/writing/the-invitation/<p>First PR to an open source project, you&rsquo;re proving you can read. That you studied the codebase, matched the style, understood why things are the way they are before suggesting they should be different. Most people skip this. Most PRs show it.</p> <p>The second and third, you&rsquo;re proving you&rsquo;ll stay. Maintainers have seen hundreds of drive-by contributions. One PR, gone forever. The ones who come back are rare enough to notice.</p>https://blog.vnykmshr.com/writing/the-loop/Sat, 14 Mar 2026 00:00:00 +0000https://blog.vnykmshr.com/writing/the-loop/<p>A handful of Go libraries on GitHub. MIT licensed, anyone can use them for anything, that was always the deal.</p> <p>But the deal isn&rsquo;t about the license. It&rsquo;s about the loop.</p> <p>Someone uses your thing, hits an edge case, opens an issue. Sometimes they send a fix. You review it, learn how people actually use what you built, catch a pattern you missed. That back and forth is the whole point. Code just sits there without it.</p>https://blog.vnykmshr.com/writing/autobreaker/Sat, 15 Nov 2025 00:00:00 +0000https://blog.vnykmshr.com/writing/autobreaker/<p>The <a href="https://blog.vnykmshr.com/writing/circuit-breaking-go/">circuit breaker post</a> from last year used a common trigger: trip after N consecutive failures. This works when traffic is predictable. It falls apart when it&rsquo;s not.</p> <p>At 10,000 requests per second, 10 failures is noise &ndash; a 0.1% error rate. A static threshold trips the circuit on what&rsquo;s essentially a healthy service. At 10 requests per second, 10 failures is total collapse &ndash; 100% error rate over one interval. The same threshold that false-positives under high traffic is too slow to protect under low traffic.</p>https://blog.vnykmshr.com/writing/accepted-committed-resolved/Fri, 11 Apr 2014 00:00:00 +0000https://blog.vnykmshr.com/writing/accepted-committed-resolved/<p>I came across Adrian Hands&rsquo; story through a blog post. I don&rsquo;t remember which one. The details stayed.</p> <p>Adrian was a developer with ALS. By the time he wrote his last patch, his hands were gone. He built a Morse code input rig &ndash; a Darci USB emulator wrapped in PVC pipe strapped to his knee, paddles attached, tapping out dots and dashes with the last muscles that still worked. That was his keyboard.</p>