Some flexibility with Go’s sumdb https://blog.yossarian.net/2025/12/29/Some-flexibility-with-Go-s-sumdb #security #go #cryptography

At the gpg.fail talk and omg #39c3 You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message. Won’t even blame PGP here. C is unsafe at any speed. gpg has not fixed it yet.

TIL: serde's borrowing can be treacherous yossarian.net/til/post/ser...

so pumped for the ty beta to finally be here, we did so much great work it rules! astral.sh/blog/ty

Dependency cooldowns, redux https://blog.yossarian.net/2025/12/13/cooldowns-redux #security #oss

I've been SHA-1 pinning ever since I started using GitHub Actions, but I didn't think of transitive (compound) actions, which can use unpinned sub-actions. This is fine 🔥🐶☕🔥 Time to setup zizmor.sh by @yossarian.net for automated scanning, I've had it in my "tools to try" list for a bit.

ICYMI, we want your #security talks at #PyConUS 🤩 CFP closes December 19th #python #supplychain #opensource #oss pycon.blogspot.com/2025/11/trai...

I'm a big fan of zizmor.sh by @yossarian.net to provide static analysis of GitHub Actions workflows as I'm working on them. The remediation advice is also top notch, for `pull_request_target` as an example: docs.zizmor.sh/audits/#dang...

There's a nasty #OpenSource #SupplyChain worm going around named Shai-Hulud. It's also capable of exposing some projects' long-lived PyPI API Tokens. Read more on what's happening, and what you can do to protect your projects. TL,DR: Adopt Trusted Publishing 🔐🚀📦 blog.pypi.org/posts/2025-1...

We should all be using dependency cooldowns https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns #security #oss

TIL: Safari has built-in WebDriver support yossarian.net/til/post/saf...

All the world's developers are a toddler and X.509 is the neighbor's unfenced pool.

Dear GitHub: no YAML anchors, please https://blog.yossarian.net/2025/09/22/dear-github-no-yaml-anchors #programming #rant

Having met with both sides on the current RubyCentral/RubyGems situation, here's my take: - RubyCentral have managed this exceptionally poorly in many ways including removing literally the most active member of the RubyGems organisation by mistake who has declined to return

maslow’s hierarchy of needs? yeah, I think I’ve heard of that somewhere before

One year of zizmor https://blog.yossarian.net/2025/09/14/one-year-of-zizmor #devblog #programming #rust #zizmor

finally learned what a "labubu" is from my local bodega. very helpful

Just cut a new release of `pypi-publish` v1.13.0! It's got internal runtime update, housekeeping, also diagnostic messages and security improvements from @yossarian.net! github.com/pypa/gh-acti... / github.com/pypa/gh-acti... #python #Packaging

i went on tom, deirdre, and david's podcast and talked about PGP and encrypted email: securitycryptographywhatever.com/2025/08/22/s...

grape nuts is the only good cereal

PyPI now serves PEP 792 project statuses in its APIs. that means you can now programmatically check if a package is archived, quarantined, etc.! blog.pypi.org/posts/2025-0...

The Go 1.25 change I am most excited about is the new synctest package. How I think about it is as a way to deflake tests by simulating an infinitely fast processor (because time doesn’t move until all work is done), and then shorten them by compressing time (because time jumps once it moves).

Fun with finite state transducers https://blog.yossarian.net/2025/08/14/Fun-with-finite-state-transducers #devblog #programming #rust #zizmor

Today, we're announcing our first hosted infrastructure product: pyx, a Python-native package registry. We think of pyx as an optimized backend for uv: it’s a package registry, but it also solves problems that go beyond the scope of a traditional "package registry".

zizmor v1.12.0 is released! this release comes with one new audit (unsound-condition), support for auto-fixing three more finding classes, plus much more in the way of general enhancements and bug fixes. full details here: docs.zizmor.sh/release-note...

zizmor v1.11.0 is out! this release comes with experimental LSP support and an accompanying vscode extension: marketplace.visualstudio.com/items?itemNa... full release notes here: docs.zizmor.sh/release-note...

Do you want to find out more about how @grafana.bsky.social secures its GitHub actions using Zizmor? Check out this post from James on my team : grafana.com/blog/2025/06... @yossarian.net

zizmor v1.10.0 is released! this is a *huge* new release: it exposes a new (experimental) auto-fix mode, more precise subspanning for fixtures, as well as a brand new pedantic audit (anonymous-definition) read the full notes here: docs.zizmor.sh/release-note...

"Tuscolo2025h2, Tuscolo2026h1, and Tuscolo2026h2 have passed their compliance monitoring period and will be added to an upcoming version of Chrome." issues.chromium.org/issues/41669... The Geomys Certificate Transparency logs are on their way to become the first trusted Static CT API logs! 🎉

thank you @grafana.bsky.social for being a logo-level sponsor of zizmor! (and also thank you @mosi.bsky.social and other folks at Grafana who've been sending me patches -- the next few releases are going to have a lot of really great new features)

A new adventure https://blog.yossarian.net/2025/06/17/a-new-adventure #lifestyle

This is a piece I wrote with the Latacora team back in 2020 that came up today in light of the (yikes) OpenPGP.js bug. It's the best security advice I've given, and it includes a section that was lost in the migration from micro.blog. Stop using encrypted email. www.latacora.com/blog/2020/02...

Bypassing GitHub Actions policies in the dumbest way possible https://blog.yossarian.net/2025/06/11/github-actions-policies-dumb-bypass #security

pronouncing knicks like knish

i did an interview with Once a Maintainer about open source and supply chain security! onceamaintainer.substack.com/p/once-a-mai...

zizmor v1.8.0 is out! besides changes to the official website and org: * you can now use `ZIZMOR_CONFIG` to pass a config file, as an alternative to `--config` * index-style contexts no longer cause false positives in the `template-injection` audit read more here: docs.zizmor.sh/release-note...

I chatted with @yossarian.net about securing GitHub Actions with Zizmor I learned a ton, and given all the recent news about GitHub Actions, everyone should be looking at Zizmor opensourcesecurity.io/2025/2025-05...

Ho boy, I'm excited for @sethmlarson.dev and I to hit the main stage at #PyConUS 2025 us.pycon.org/2025/schedul... Sunday morning!

A Discord server and new GitHub organization for zizmor https://blog.yossarian.net/2025/05/07/zizmor-discord-server-github-org #security #oss #devblog #programming #rust #zizmor

my colleague @darkamaul.bsky.social has a new blog post on the @trailofbits.bsky.social blog about how we worked with @pypi.org's maintainers to slash test times on PyPI by over 80%: blog.trailofbits.com/2025/05/01/m...

i've released zizmor v1.6.0, with one new audit (forbidden-uses), one rewritten audit (unpinned-uses), a new output mode, and a whole bunch of bugfixes! read the full release notes here: woodruffw.github.io/zizmor/relea...

i'm very excited about this new work my team at @trailofbits is doing: we're building an ASN.1 API for PyCA Cryptography, giving users direct access to the same memory-safe, high-performance DER parser that Cryptography already uses for X.509: blog.trailofbits.com/2025/04/18/s...

TIL Any program can be a GitHub Actions shell yossarian.net/til/post/any...

hope this helps

it seems very weird to me that LSP is/was advertised as a solution to the NxM matrix problem in IDEs, but to use an LSP server in vscode you still need to write a custom extension ("LSP client") that only talks to your particular LSP server (other editors/IDEs seem to get this right, e.g. vim-lsp)

Check out @yossarian.net’s article on Zizmor, a vulnerability scanner for GitHub workflows! 🔎 It even catches actions pinned to impostor commits! (Don’t know what they are? They’re described earlier in the same issue!)

Learning about zizmor, a static analysis tool for GitHub Actions from @yossarian.net github.com/woodruffw/zi...

you can now archive projects on @pypi.org! this work was done by my teammate Facundo @trailofbits.bsky.social and is part of a larger multi-year arc of work dedicated to landing security and usability improvements on PyPI: blog.trailofbits.com/2025/01/30/p...

zizmor v1.2.0 is released! this release brings a new audit (bot-conditions), which can detect spoofable `github.actor` checks. it also brings bugfixes/accuracy improvements across the board! many thanks to astral.sh for being our first logo sponsor! notes here: woodruffw.github.io/zizmor/relea...

Be aware of the Makefile effect https://blog.yossarian.net/2025/01/10/Be-aware-of-the-Makefile-effect #programming