yossarian

@yossarian@infosec.exchange

engineering director https://infosec.exchange/@trailofbits and general interloper; attracts bugs easily

This profile is from a federated server and may be incomplete. Browse more on the original instance.

yossarian, to random

for the past 8 months, my team at @trailofbits has been building a new, pure-Rust X.509 validator for the Python ecosystem, and we're announcing it today!

our implementation is part of PyCA Cryptography, meaning that it's a single pip install cryptography away. we'd like to especially thank the PyCA maintainers for their intensive review and support, as well as the @sovtechfund for funding this effort!

read more here:

https://blog.trailofbits.com/2024/01/25/we-build-x-509-chains-so-you-dont-have-to/

yossarian, to random

2023 was another bumper crop year for OSS contributions at @trailofbits!

we put together a long and yet still very abbreviated summary of them here: https://blog.trailofbits.com/2024/01/24/celebrating-our-2023-open-source-contributions/

yossarian, to meta

You don’t need analytics on your blog

https://blog.yossarian.net/2023/12/24/You-dont-need-analytics-on-your-blog

yossarian, to random

just learned that json schema has control flow in it. terrible.

yossarian, to random

what is man? a miserable little pile of pull requests

hynek, to random
@hynek@mastodon.social avatar

Heads up everyone using my approach to measuring Python code coverage as detailed in https://hynek.me/articles/ditch-codecov-python/ – GitHub rolled out v4 of upload-artifact that breaks a shitton of workflows including that one.

Do NOT update actions/upload-artifact for Coverage to v4. I have added a warning to the top of the blog post and I will try to come up with a new solution.

Unfortunately, that’s ANOTHER tone-deaf move by GitHub introducing community-wide breakage & I hope they’ll see reason & help migrate.

yossarian,

@hynek this is also going to break a ton of publishing workflows for similar reasons — I’ve historically been a huge booster of GHA but this is another really disappointing choice by them

yossarian, to random

RubyGems now supports Trusted Publishing, thanks to the hard work of @segiddins: https://blog.rubygems.org/2023/12/14/trusted-publishing.html

I'm beyond jazzed about this: they were inspired by @pypi's Trusted Publishing functionality, which @trailofbits helped implement back in April!

yossarian, to random

"machine-generated PRs don't automatically run github workflows, but will run them if you close and re-open the PR" is probably my most load-bearing GitHub bug

yossarian, to random

“don’t roll your own crypto” im built different

yossarian, to random

The open source team at @trailofbits completed an audit of Warehouse and cabotage, the codebases that power @pypi and serve billions of Python packages weekly.

Read a summary of our report here: https://blog.trailofbits.com/2023/11/14/our-audit-of-pypi/

yossarian, to random

peanut butter jar 🤝 therapist
“separation is natural”

yossarian, to random

they should bring back wood paneling on computers. I want a MacBook with a tasteful walnut finish

yossarian,

@sethmlarson if you get a granite iphone i want a himalayan pink salt ipad

yossarian, (edited ) to random

my team at @trailofbits is adding verifiable build provenance to @homebrew, in partnership with Alpha-Omega and the @openssf! this work will secure the packages that millions of macOS and Linux developers depend on:

https://blog.trailofbits.com/2023/11/06/adding-build-provenance-to-homebrew/

yossarian, to random

I am so sleepy

yossarian, to random

i'm super excited to present at @packagingcon on behalf of @trailofbits!

i'll be speaking about the work we did on @pypi's Trusted Publishing feature, how it works, and how other packaging ecosystems can reap its benefits!

talk details here: https://cfp.packaging-con.org/2023/talk/HBANTG/

some additional details from our blog: https://blog.trailofbits.com/2023/05/23/trusted-publishing-a-new-benchmark-for-packaging-security/

yossarian, to security

Some concerns with OpenPubKey

https://blog.yossarian.net/2023/10/18/Some-concerns-with-OpenPubKey

yossarian, to random

Finally, a Real Computer

yossarian, to random

"average package contains 3 vulnerabilities" factoid actually just statistical error. average package contains 0 vulnerabilities; ReDoS georg, who lives in NIST and creates 10,000 CVEs a day is an outlier adn should not have been counted

yossarian, to random

we've officially released sigstore-python 2.0!

release announcement here: https://blog.sigstore.dev/announcing-sigstore-python-20/

whitequark, to random
@whitequark@mastodon.social avatar

did you know LLVM includes a RIFF implementation (more widely known as "the container used in .wav files")?

it stores the compilation index in it

yossarian,

@whitequark the cursed counterpart to this is that LLVM uses a VBR encoding for the bitcode format itself, not unlike MPEG-3 VBR

yossarian, to programming

GitHub Actions could be so much better

https://blog.yossarian.net/2023/09/22/GitHub-Actions-could-be-so-much-better

yossarian, to random

oh no ! there is a cycle in my supply chain !

yossarian, to random

@sethmlarson and @cheukting_ho talking about the last two months of PSF SecDevInRes successes and upcoming work!

(crazy colors are a photo artifact)

image/jpeg

yossarian,

great summary, and a great indicator of how much Python packaging has matured and will continue to mature thanks to folks like @cheukting_ho and @sethmlarson

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • provamag3
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • anitta
  • Leos
  • tester
  • JUstTest
  • All magazines
    •