As we approach the year end, I thought I’d do a hot takes for 2025 thread! Let’s start with the things I’m bullish on. I’m betting on huge progress on rust in the kernel. This has been years unfolding, and in 2024 it reached mainline and drivers are now getting built in rust. This is going to explode and more parts are going to be written in Rust for memory-safety, performance, and familiarity for a new wave of kernel devs. I’m also excited for two other new tools that are two letters each - jj and uv. jj is a new source code management system that has somehow managed to perfectly thread the needle between by being git-compatible and interoperable while also presenting a new, and IMO, much more sane model for working with branches, and diffs. Don’t get me wrong - git is amazing, but it still presents an incredibly high learning curve full of pitfalls for users that don’t need to know about DAGs and merkle trees and dirty states. I think jj will reach double digit percentage of git usage in 2025. uv is a new python package and project manager that unifies all the best parts of all of the existing tools. It manages virtualenvs, packages, tools, and even Python itself. Python package management has been an everchanging nightmare of tools that conflict with other tools since I first started programming 15+ years ago, and uv is the first exciting, modern replacement for all of these that I’ve seen. It’s already grown to ridiculous usage since it was first released, I’m betting on 40% adoption next year. Time for the things I’m bearish on. If you follow me already, these won’t be new. First, still no sboms. Sorry. They’re regulatory-driven in the worst way possible and a checkbox requirement at best that add no value to vuln management. I hope the new administration focuses on things that matter and really move the needle across their policy agenda in cyber. They’re not going to happen. Also, no Fair Source. Some companies might try it as they move away from OSS or realize those licenses were never right for them, but we’re not going to see a meaningful community form around it or any large projects that matter start with it from day 1. Finally, no server-sie WASM. It might continue to see adoption in the extensibility/plugin space, but we’re not going to see people switch away from containers or serverless for it. The WASI P1/P2 nonsense and component model mess are overengineered, design-by-commitee standards that don’t help real world use cases, and the Bytecode Alliance shenanigans took all the wind out of the community before it could reach critical mass. A few other random predictions: Another xzutils but worse. We all got very lucky here and this probably wasn’t the first attempt and definitely won’t be the last. Nothing will change in OSS sustainability, OSS is fine and will still be fine. People will still whine when companies use free software to make money. And of course, 2025 will be a big year for Chainguard!
You would elevate to legendary status if you could convince the DoD that software bill of materials (SBOMs) are no longer a good approach to either vulnerability management or Authority to Operate (ATO) requirements gathering as part of the risk management framework (RMF). Great post.
Have to agree with the xz utils bit for sure unfortunately. Only a matter of time..
I endorse this message. I suspect we will see a much lighter approach in terms of regulatory driven cyber requirements (for better or worse).
You guys killed it in 2024, Inspirational. Let's hope for a 2025 of more up and to the right. I am with you on WASM, I was very bullish in 22/3, but the posix capability is long off where it needs to be. Going to check out uv, been on poetry for a while, but uv sounds like substantially more. jj too. Happy holidays
🐙to the 🌖
I’m glad to see non-AI predictions on my feed. I think what Go got right from the go get is the source-first module proxy approach. Dagger is following suit somewhat repenting for the Docker sins. However, the context in Python is different. Go is primarily used for backend, (distributed) systems programming, web servers and CLIs whereas Python is used (amongst other things) in ML, AI, DS and has dependencies on numpy and CUDA and system-level dependencies hence conda, so the ecosystem is challenging. I still haven’t wrapped my head around venvs/virtualenvs and the recent Python3 upgrades on Mac require more typing to do simple stuff like installing packages (the long cryptic message). An unopinionated language took a very opinionated and frustrating decision for super simple stuff.
Agree, although wasm does enable some cool things to run on the browser like https://supabase.com/blog/postgres-new , devs/ops are also getting a bit frustrated on how expensive cloud providers are becoming so I can see something like https://linuxcontainers.org/incus/ and https://www.cloudhypervisor.org/ become more popular onprem especially with the big VMware migration that's happening.
Thanks for the pointer to jj. I’ve been waiting years for something to come along and succeed git, or at least fix all the sharp edges in it.
Totally agree with you on the Rust uptake. It continues to surge in adoption from kernel to Chromium to Windows…
CTO of Container Security @ Wiz
3dI tend to agree with WASM for servers, it is not a panacea and is not suited for any type of a workload. I get overwhelmed and confused by the marketing and buzz around that. Solomon Hykes recently said that to change Docker / containers you’d have to change Linux and I don’t see that happening in the near future. Istio had the most aggressive marketing I’ve seen in CNCF and k8s but it does solve a real challenge. Compliance being number one probably (hey you wanna sell to those DoD and fed now don’t you or perhaps you do find real value in mTLS?), container networking security second and traffic shaping -e.g. metrics driven canary rollouts and progressive delivery third.