un — Permaculture & Code: Growing versus Extracting

un

guest

1 / ?

back to lessons

A MOAD Scanner as Permaculture Practice

Permaculture's first principle: observe before acting. Spend time in the system you want to change. Understand its flows, accumulations, & waste streams before designing your intervention. A gardener who observes where water pools, where sunlight reaches, & where nutrients concentrate places plants more effectively than one who follows a generic plan.

A MOAD scanner applies this principle to software ecosystems. Before filing a single issue, scan across projects and languages. Map the defect's distribution: how many projects carry CWE-407? Which carry it in high-traffic paths? Which upstream packages, if patched, would propagate the fix to the most dependents? Observe the ecosystem before acting on any single node.

Permaculture Applied to Code: scan 2192 store 2192 patch 2192 disclose 2192 loop

Contrast this with extractive practice: discover a vulnerability, sell it to a vulnerability broker, collect payment, move on. The researcher extracted financial capital from the knowledge and left. No knowledge propagated. No system improved. Future users of every affected project remained vulnerable. The broker holds the knowledge, which decays in value as the vulnerability ages without disclosure.

Permacomputer practice: discover a defect, patch it, disclose it, submit upstream, release the patch as public domain. The knowledge propagates without decay — in fact it compounds: the disclosed CVE becomes a reference, a MOAD post teaches the pattern, future researchers find new instances using the same pattern. A closed loop rather than a terminal extraction.

Permaculture observation precedes permaculture action. The scan generates data about surge scores, dependency graphs, & affected node counts before any patch moves. This data shapes which patches ship first: high-betweenness nodes before leaf nodes, because a fix to a widely-depended-upon library propagates further per unit of effort.

Produce No Waste: Three Disclosure Paths

Three paths a researcher can take after discovering a critical vulnerability in a popular open-source library:

A. Sell it to a vulnerability broker for $10,000.

B. Report it privately to the maintainer with a 90-day disclosure timeline, then publish regardless of patch status.

C. Submit a patch as a pull request immediately with a simultaneous public disclosure.

Apply the permaculture principle 'produce no waste' to evaluate each option. Identify what outputs each path produces, where those outputs go, & which outputs leave the system as waste (unrouted energy that benefits no one).

Compounding in Open Systems

Permaculture's second principle: catch and store energy when it flows abundantly so you have reserves when it does not. A rain catchment system stores water during storms for use in dry months. A food forest stores solar energy as fruit and biomass across seasons. The goal: match the timing of storage to the timing of abundance.

Hamming's compound knowledge: every new technique connects to your list of important problems, multiplying productive output. A single insight about information entropy, for Shannon, unlocked a decade of theoretical work because it connected to every open question on his list simultaneously. The stored knowledge paid compound interest.

Open-source compounding works differently from individual compounding. A fix merged into a canonical repository stores energy in a place where every downstream fork automatically draws from it. A patch submitted to Python's asyncio library in 2022 propagated to every project using that library without any additional action from the original researcher. The energy stores at the source and compounds through the dependency graph.

MOAD articles store energy differently: each post teaches the scan pattern rather than just disclosing the specific instance. A researcher who reads the CWE-407 MOAD article learns not just that Project X had a flush vulnerability, but what the flush pattern looks like in any language, how to search for it, & how to distinguish it from benign similar code. Future researchers find new instances using the stored pattern rather than rediscovering it from first principles.

The energy storage mechanism matters as much as the energy itself. Knowledge stored in a private notebook compounds only for the notebook's owner. Knowledge stored in a public repo compounds for everyone who reads it. Knowledge stored in a CVE database compounds for everyone running a security scanner. Each storage location has different compounding characteristics.

Issue Trackers & Personal Problem Lists

Hamming kept a list of 10 important problems he returned to repeatedly. The list primed him to recognize when a new technique addressed one of them. His list functioned as personal stored energy: a durable investment in pattern-matching that paid dividends each time a new technique appeared.

How does an open-source project's issue tracker serve a similar function to Hamming's personal 10-problems list? How does it differ? Identify at least one advantage the issue tracker has over the personal list and at least one advantage the personal list has over the issue tracker.

A MOAD Loop as Closed System

Permaculture: in a well-designed system, the output of one process feeds the input of another. No output exits the system as waste. A chicken in a food forest produces eggs (food), manure (fertilizer), pest control (service), & scratching (soil aeration). Each output routes to a downstream process rather than leaving the system.

A MOAD factory model builds a similar closed loop. Each stage produces outputs that feed the next:

Scan produces: a confirmed defect instance, a location map of affected nodes, a severity estimate based on betweenness & traffic.

Patch produces: a code correction, a unit test confirming the fix, a diff reviewable by maintainers.

MOAD post produces: a public-domain article explaining the defect class, the scan pattern, & the fix approach. Intellectual capital that persists beyond any single instance.

CVE disclosure produces: a standardized record in NVD, triggering automated security scanners across all affected installations. Social capital for the security community.

Upstream PR produces: the fix in the canonical source, propagating automatically to all downstream forks on their next dependency update.

Each output feeds back: a MOAD post teaches researchers to find new instances, which generates new scans. The unit test becomes a regression guard. The CVE record drives adoption of the patch by operations teams who would otherwise ignore it. The loop closes.

Halt condition: a patch disclosed without confirming downstream capacity floods the queue. MOAD-0001 & MOAD-0005 couple: fix O(N²) at a high-betweenness node & every downstream processor floods simultaneously. Permaculture's design-for-the-whole-system principle applies here too: optimize the component and you may create a new bottleneck downstream.

Mapping Outputs to Capital

A MOAD pipeline produces five outputs: a scan result, a patch, a MOAD post, a CVE disclosure, & an upstream PR.

Map each output to the capital form it primarily grows. Then identify which single step, if removed, would produce the most 'waste' — the most unrouted energy in the system — and explain why.