Dave Thomas: Pragmatism, Feedback Loops, and Why AI Doesn’t Change the Fundamentals

In this episode of Risk-First: Stars of Software, Rob Moffat talks with Dave Thomas, co-author of The Pragmatic Programmer, original signatory of the Agile Manifesto, founder of The Pragmatic Bookshelf, and long-time thinker on software simplicity, agility, and feedback-driven development.

Dave has spent decades shaping how software developers think about programming — from pragmatism and feedback loops, through Agile, Ruby, and testing, to his more recent work on simplicity and AI-assisted software development.

Along the way, Rob and Dave dive into:

• Why nearly every idea in The Pragmatic Programmer still applies in the age of AI
• The role of feedback loops in software development
• Why Agile was originally about values and adaptability
• The origins of the Agile Manifesto and how it unexpectedly “went viral” after Snowbird
• How military concepts like “commander’s intent” parallel modern agile software teams
• Why organisations built around top-down command structures struggle to be genuinely adaptive
• How delighting users requires empathy, not just technical competence
• Why empathy matters not only for people, but for machines, systems, and software design itself
• The possibility that future AI-generated software may eventually become unreadable to humans
• Why AI may ultimately reinforce good software design practices like small modules, meaningful names, and readable structure
• The ongoing “CVE apocalypse”
• Why writing books — and software — is fundamentally about synthesising and refining ideas from reality into reusable forms
• Dave’s belief that the best way to navigate an increasingly complex world is to live “agilely”: taking small reversible steps guided by feedback

The Pragmatic Programmer
https://pragprog.com/titles/tpp20/the-pragmatic-programmer-20th-anniversary-edition/
Classic software engineering book introducing concepts like pragmatism, tracer bullets, orthogonality, and feedback-driven development.

The Pragmatic Bookshelf
https://pragprog.com
Technical publishing company focused on practical software development books across programming, AI, testing, and engineering.

Agile Manifesto
https://agilemanifesto.org
The original Agile Manifesto and principles created at Snowbird in 2001.

Simplicity
https://pragprog.com/titles/dtlang/simplicity/
Dave Thomas’ recent book exploring simplicity, empathy, systems thinking, and software design.

FINOS
https://www.finos.org
Open source foundation discussed in relation to software supply chain security and open source sustainability.

Dave Thomas’ Substack
https://newsletter.pragmaticengineer.com
Dave’s writing and commentary on software, AI, and programming ideas.

James McLeod: Open Source Communities, Hackathons, and Why Open Source Opens Doors

In this episode of Risk-First: Stars of Software, Rob Moffat talks with James McLeod, Open Source Lead at NatWest Group, FINOS board member, and organiser of London JS.

James has spent years at the intersection of enterprise technology and grassroots developer communities — helping banks engage with open source while also building one of London’s best-known JavaScript meetups. Before NatWest, he worked directly within FINOS helping financial institutions collaborate through open source, standards, and shared engineering practices.

The conversation explores how open source communities form around uncertainty, why meetups and hackathons matter far more than most organisations realise, and how the current explosion of AI tooling mirrors the chaos and creativity of the early JavaScript ecosystem.

Along the way, Rob and James dive into:

• How the rise of React, Node.js, npm, and frontend frameworks created a “primordial soup” developers had to collectively figure out together
• Why London JS was created to help developers learn collaboratively rather than depend on individual experts
• The importance of creating communities where people can safely experiment, fail, and learn in public
• Why meetups act as “distilled serendipity” — compressing useful collisions between people and ideas
• How open source communities help reduce dependency on proprietary ecosystems and centralized knowledge
• Why hackathons are valuable not just for innovation, but for exposing firms to external thinking and new technologies
• The challenge of maintaining momentum after hackathons end and preventing ideas from “rotting in a repo”
• How open source participation helps organisations avoid becoming technologically entrenched
• Why enterprises often misunderstand open source as purely an IP issue instead of a collaborative engineering model
• James’ experiences moving from highly proprietary Microsoft ecosystems into open source development cultures
• How AI today feels similar to the early React ecosystem: lots of tools, rapid change, and nobody really knowing the “correct” answers yet
• Why AI communities need openness, shared learning, and emotional intelligence — especially when many developers are anxious about the future of work
• The idea that “open source opens doors” — creating careers, friendships, startups, and opportunities far beyond code itself

London JS
https://www.meetup.com/london-js/
London-based JavaScript and frontend development community bringing together developers, speakers, and technology enthusiasts.

FINOS (Fintech Open Source Foundation)
https://www.finos.org
Foundation enabling collaboration on open source projects and standards across financial services.

NatWest Group
https://www.natwestgroup.com
UK banking group active in open source collaboration and FINOS initiatives.

Viktor Petersson: SBOMs, Supply Chains, and the Reality of Software Transparency

In this episode of Risk-First: Stars of Software, Rob Moffat talks with Viktor Petersson, founder of SBOMify and co-founder and CEO of Screenly.

Viktor has spent years building real-world systems at the intersection of hardware, cloud, and security—from early Raspberry Pi-based digital signage through to globally deployed platforms used by organisations like NASA and Capital One. More recently, he’s focused on one of the most talked-about—and misunderstood—areas in modern software: Software Bills of Materials (SBOMs).

The conversation explores why SBOMs have suddenly become a regulatory and industry focus, whether they actually solve the problems they claim to, and what it really means to understand what’s inside the software we run.

Along the way, Rob and Viktor dive into:

• What an SBOM actually is—and why it’s often misunderstood as just “a file”
• Why software supply chain transparency is much harder than it sounds
• The gap between regulatory intent and engineering reality
• Why generating SBOMs is easy—but making them useful is not
• The problem of incomplete, inaccurate, or outdated dependency data
• How transitive dependencies create hidden and compounding risk
• Why most organisations don’t actually know what’s in their software
• The difference between compliance-driven SBOMs and operationally useful ones
• Why “perfect visibility” is probably unattainable—and what to do instead
• How SBOMs intersect with vulnerability management and incident response
• The role of tooling, automation, and standards in making SBOMs usable
• Whether SBOMs reduce risk—or just make it more visible
• How supply chain security is evolving alongside AI-generated code

sbomify
https://sbomify.com
Platform focused on generating, managing, and operationalising Software Bills of Materials.

Screenly
https://www.screenly.io
Digital signage platform originally built on Raspberry Pi, now deployed globally across enterprise environments.

Software Bill of Materials (SBOM)
A structured representation of the components, libraries, and dependencies that make up a piece of software.

Software Supply Chain Risk
Risks arising from dependencies on external code, including vulnerabilities, maintainership gaps, and compromised packages.

Transitive Dependencies
Dependencies of dependencies, which often introduce hidden complexity and risk.

SBOM Accuracy & Freshness Problem
The challenge of keeping SBOMs up to date and reflective of real-world deployed systems.

Compliance vs Operational Security
The difference between producing artefacts to satisfy regulators and actually improving security posture.

Vulnerability Management Integration
Using SBOMs as input into processes that identify, prioritise, and remediate security vulnerabilities.

AI-Generated Code Risk
The increasing difficulty of understanding software composition as AI accelerates code generation and reuse.