Blog
Cross-Platform Identity: When the Same Private Key Signs Two Forges
Why SSH-key fingerprint matches across GitHub, GitLab, Codeberg, and Sourcehut are the strongest cross-platform identity signal in open source --- and what they cannot prove.
AI-Generated PRs and the New Shape of Contributor Risk
AI lowers the cost of manufacturing convincing fake contributor histories. Here is what signals still hold up, and what DevTrace looks for in the metadata and the behavior.
Bus Factor 1: The Metric Your Dependency Review Is Missing
Why bus factor is the strongest predictor of open source project fragility, and how to measure it alongside contributor retention and velocity before your dependency becomes unmaintained.
Anatomy of a Trust Score: What 23 Signals Tell You About an Open Source Contributor
How DevTrace evaluates contributor trust across five categories, and what that looks like applied to the xz-utils timeline.