Config Management Camp 2023 Ghent

Most Puppet users have had the experience of evaluating modules on the Puppet Forge. Maybe you have too. Maybe you were comparing a handful that all claimed to meet your needs, or maybe you were just determining whether a specific module met your standards for deploying into your production environment. With tools like puppet-lint and the PDK, it's fairly straightforward to evaluate code quality. But what about the health of the project itself? Is it actively maintained? Are Forge releases kept up to date? What are the chances that the latest release was compromised with a hidden bitcoin miner?

How do you answer those sorts of questions? You probably
- Skimmed the module's README for signs of the author's diligence.
- Poked through the issue list and pull requests on the repository hosting the module source to see how responsive the maintainers were to community collaboration.
- Checked the changelog for consistency.
- Maybe you even checked the commit history to see if there were unreleased fixes, or compared tags against the published version(s).

Wouldn't it be nice to automate some of this due diligence? That's what denmark does. The Shakespeare quote refers to corruption at the top of a political hierarchy making its way down through the entire state. In the context of this tool, it means that often we can detect concerns with a project by sniffing around the edges and seeing if anything rolling downhill stinks.