# Brent Toderash — Full Site Content > Technologist, open-source advocate, and writer based in Winnipeg, Canada. > Site: https://toderash.net --- ## About I'm a software engineer and open-source community contributor based in Winnipeg, Manitoba. My work sits at the intersection of web infrastructure, publishing tooling, and developer experience. Most of my recent energy has gone into AspirePress (https://aspirepress.org) — an open-source project building a federated mirror of the WordPress plugin and theme ecosystem — and the FAIR Protocol (https://fair.pm), a platform-agnostic software supply chain that gives CMSes like WordPress and TYPO3 independence from any single distribution platform. Before that I spent a decade building web applications and managing technical operations at Rainy Day Software Corp. and Modern Earth Inc., mostly in the WordPress and TYPO3 ecosystems, mostly for clients who cared about accessibility and long-term reliability more than they cared about what was fashionable. I write here about things I've actually worked through — CMS architecture, deployment workflows, compliance frameworks, and the occasional infrastructure rabbit hole. The goal is to be useful to the next person who hits the same wall. --- ## Blog Posts ### Kairos: Being in the Room URL: https://toderash.net/blog/Kairos-Being-in-the-Room/ Published: 2026-05-22 Category: TYPO3 A modest May 2026 gathering in Atlanta felt like a seminal moment for the open source enterprise CMS market in North America, which is currently facing uncertainty and upheaval. TYPO3 is stepping in boldly. You don't always know when you're in the liminal space which, years later, you'll look back and say, "I was *there*." Sometimes there's a momentous feeling to a point in time, and other times, you don't the significance of a moment until much later. Beginnings are like that: their nature can be cloaked in uncertainty. And yet. When I studied ancient Greek (long story), we learned the word *kairos* (καιρός) which is quite different from the word *chronos* (χρόνος). *Chronos* is the personification of time in Greek mythology, and the word means precisely what expect it to from the word chronology. One minute follows the next, each one being qualitatively and quantitatively the same. *Kairos*, on the other hand, was the Greek god of Time, Opportunity, and Favourable Moments. With that background, *Kairos* refers to an opportune moment, an exact or critical time. While *chronos* refers to time, *kairos* refers to the *right* time. This week I've been in Atlanta to participate in a CMS Experts meeting hosted by Boye & Co., and the first TYPO3 Summit North America held in the ballroom at the Georgia Acquarium. My work with FAIR brought me here to build on what we started with TYPO3 in March. As a late addition to the schedule, I joined Karim Marucchi on stage to talk about the FAIR Package Manager Project, and why it's important for TYPO3 and for any enterprise considering risk factors relating to their software supply chains. The day ended with a lovely Thai dinner. Not everyone was able to make it there, but before we dispersed any further, TYPO3 GmbH CEO Daniel Fau said just a few brief words before requesting a group photo. It's those words remind me of *kairos*. I believe — as do Daniel, Karim, and I'm sure most of the room — that this is TYPO3's moment. The day had that feeling; the sense that it was an inaugural event that becomes a foundation for an unfolding future. It wasn't an exceptionally large group, but the significance isn't in how many were there, but in who was there. Keep an eye on TYPO3. We're currently facing new kinds of uncertainty in the broader open source community, from sustainable funding models to stable governance to ensuring open remains *open* while dealing with the monumental impact of AI on the industry with a flood of CVE reports and escalating supply chain attacks. To cap off the two event days, yesterday I spent a casual afternoon and evening with most of the TYPO3 group and some folk from Karim's Crowd Favorite team. We shared many laughs, interspersed with insights and ideas about interpreting the present time and anticipating the future. This is the moment, the *kairos*, when TYPO3 is asserting itself with an increased presence in North America. It's already very popular in Europe, where within certain vertical sectors or industries, it commands market shares in the 40-50% range. Typically, these are enterprise users in sectors like transportation, higher education, and government. With a long-time focus on making enterprise technology accessible to the SME market, this makes me take notice. There's (much) more to say in the coming days, but TYPO3 offers unrivaled stability on its course through the list of uncertainties that open source is currently attempting to navigate. --- ### Open Source is Not Enough URL: https://toderash.net/blog/Open-Source-is-Not-Enough/ Published: 2026-05-25 Category: OSS Sustainability In response to Joost de Valk's post saying that open source is the right start but not enough, I suggest some conditions needed for healthy open source projects. Without proper governance and a model that ensures sustainability, a briefcase full of funding could kill a project as easily as stimulating it. Earlier this week, Joost de Valk wrote a post titled "Open Source First is right, but not enough." The spark is an open letter from SuSE and a group of European open source companies concerning the pending Cloud and AI Development Act being proposed by the European Commission. The act calls for public procurement processes to assess whether qualified open source alternatives exist before a proprietary solution is considered. I think that's a great move, both for digital sovereignty and responsible stewardship of public funds. Joost says it's not enough, citing his experience with FAIR, and the reason he and Karim Marucchi had to step back from establishing a funding model to implement it for the WordPress ecosystem. The missing piece, Joost suggests, is the neutrality of the underlying infrastructure. Even if the procurement process funds the *software* project, that crucial infrastructure may remain unfunded. In September 2025, OpenSSF and a group of software registries released a statement, "Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship," pointing to the fact that relying on donations alone is not a reasonable expectation for funding the global software ecosystem. As for the EU legislation, my mind goes to what would be considered a qualified open source alternative. Suitability to purpose is obvious, but doesn't go far enough, as project health should definitely be a consideration if the procurement department isn't prepared to have to adopt the project. A healthy project needs sound governance and a sustainability model. At this point, I feel I should call out established, accountable, trustworthy governance as a prerequisite to funding. In a conversation about funding and open source sustainability last week, I pointed out that you can't fund projects that don't have proper governance, or you risk killing the project with a cash injection. It should be axiomatic that a harmonious group of like-minded collaborators can be stymied by a briefcase full of cash faster than the most vexing of technical problems. The first question to ask is whether the project is *ready* to be funded. Sustainable OSS isn't easy, but many of us are committed to it. We've seen some very challenging years for open source, but we still have plenty of successful models as exemplars. --- ### Security & Trust in OSS Supply Chains URL: https://toderash.net/blog/Security-Trust-OSS-Supply-Chain/ Published: 2026-05-22 Category: Supply Chain Supply chain security ensures you get what you asked for, but not whether what you asked for is safe. Establishing trust in software requires verifiable provenance with cryptographically attributable identity for the publisher. My work on the FAIR Package Manager is largely concerned with securing the software supply chain, so I've been thinking a lot about different facets of security, and where security concerns spill over into trust. Supply chain security ensures that the requested package is delivered from its source as a bit-for-bit copy with no modification or tampering. It ensures only that you got what you requested, even if the package is malicious. In other words, even if you can trust the supply chain to deliver the package you asked for, you can't necessarily trust what's in the package. By and large, supply chains are not designed to protect against malicious software that is compromised before it enters the supply chain, and this is the focus of increasingly effective software supply chain attacks. Some repository-level validation is done for some supply chains, but these are mainly done on a limited basis. A key takeaway from Ken Thompson is that it's not enough to validate and trust the package, you've actually got to trust its publisher as well, and beyond that, the publisher-trusted authors and maintainers who write and ship the code. At launch, the FAIR Package Manager established better supply chain security for the WordPress ecosystem on a number of fronts, including non-technical ones such as governance and single-vendor risk. On the technical side, the FAIR Protocol builds in support for cryptographic signing of packages in addition to validation of checksum hashes. Provenance is all about verification. Software provenance describes the process of how a release asset came to be created, including who its authors are, what other software libraries it contains or relies upon, and the build process that produced the release asset from its source code. Cryptographic signatures differ from checksum hashes in that they are verifiable using a key pair to confirm not just that you've got a bit-for-bit copy of what the publisher signed, but also who signed it. Cryptographic signatures add authentication to file integrity, but are still missing from a surprising number of software supply chains, including expansive ones like WordPress. The EU's Cyber Resilience Act (CRA) at the vanguard of a whole batch of regulatory legislation will change the shape of the software industry for the better. Verifiable identity establishes accountability, which is another strong signal for building trust. With the availability of universally unique identifiers (DIDs) and privacy-preserving online identity verification, we should expect the future of trust-building to include verifiable attestations concerning the identity of software authors and contributors. --- ## Feeds & Discovery - RSS: https://toderash.net/rss.xml - Sitemap: https://toderash.net/sitemap-index.xml - LLMs index: https://toderash.net/llms.txt ## Contact - Email: brent@toderash.net - Mastodon: @brenttod@mastodon.social - Bluesky: @brenttod.bsky.social - GitHub: https://github.com/toderash