I didn’t realise just how US centric all of package management was until I made these tables 😅
The Dependency Layer in Digital Sovereignty: https://nesbitt.io/2026/01/28/the-dependency-layer-in-digital-sovereignty.html
Discussion
Loading...
@andrewnez why does this excellent blog post not mention codeberg?
@JeroenBaten I'll update the post to mention that near the top
@JeroenBaten codeberg/forgejo currently doesn’t have any dependency graph or insights functionality
@andrewnez the frequency of your insightful blogs on package management is impressive.
Super minor nitpick. Blackduck was dropped by Synopsys. It's now an independent company, still US-based though.
@andrewnez We were running Gitlab servers on our local machines in Germany for many years. I see no dependency to the US, except the early setup.
@realSiegfried do you pay for the dependency insights feature?
@andrewnez I'm also surprised how few are non-profits or B corps in that listing.
(dunno if you wanna add a column for that?)
@pradyunsg yeah I think that would be worth adding a column
@andrewnez I was having a conversation with a friend in security the other day who was recalling how, when the CVE fiasco happened recently, everyone noticed EU had what seemed like an alternative they could maybe turn to, but upon closer inspection it was essentially a mirror. we need to do decentralization better, alongside sovereignty, for humanity’s sake
@andrewnez listened to an interesting point on a podcast by Everything Electric this morning. To paraphrase: "96% of the world is *NOT* living in the USA, so can we all please just stop talking about their news and get on with our own lives again?"
@mossman my post is mostly about needing more standards in package management, the US acting crazy is just a useful way to get more people asking for those standards to be developed
@andrewnez I was kind of making the same point. We need to stop allowing all our lives be dominated by systems and corporations centred on a monoculture which doesn't actually reflect the global diversity
@andrewnez for forges, you might wish to add @Codeberg (Germany, EU). Not sure where Sourcehut sits (is it NL, @sir ?)
So there ARE alternatives. And as already pointed out in another comment by @jens , Forgejo/Gitea can be self-hosted as well. And at least for Forgejo, Federation is upcoming IIRC, to take another hurdle (separate registrations) from self-hosted installs.
But yeah, that list reads horrible, re "sovereignty" 😢
@IzzyOnDroid codeberg/forgejo/srht don’t have the dependency graph security features that the others have that I was talking about
@andrewnez Consider that gitea contains package registries, and forgejo is the FLOSS fork. It's perfectly possible to build a bunch of these things with a self-hosted forgejo instance.
Which really means that a bunch of things forgejo does should become de facto standards.
There are also things that can be standardized that help here. For example, there are a few competing solutions for platform/language independent package meta information, including dependencies.
Could focus on that, too.
@jens I’ve been working on that
2 media
@andrewnez @gvwilson What about the Linux package repositories? Canonical, at least, is UK-based if I’m not mistaken, with subsidiaries in several countries.
@benjamingeer the Linux distros are much more friendly to being mirrored and standing your own up than many of the language package managers
@andrewnez @benjamingeer
I am bit bugged as there seem to be no mirrors for e.g. security.ubuntu.com