All the world's developers are a toddler and X.509 is the neighbor's unfenced pool.

Dear GitHub: no YAML anchors, please https://blog.yossarian.net/2025/09/22/dear-github-no-yaml-anchors #programming #rant

Having met with both sides on the current RubyCentral/RubyGems situation, here's my take: - RubyCentral have managed this exceptionally poorly in many ways including removing literally the most active member of the RubyGems organisation by mistake who has declined to return

maslow’s hierarchy of needs? yeah, I think I’ve heard of that somewhere before

One year of zizmor https://blog.yossarian.net/2025/09/14/one-year-of-zizmor #devblog #programming #rust #zizmor

finally learned what a "labubu" is from my local bodega. very helpful

Just cut a new release of `pypi-publish` v1.13.0! It's got internal runtime update, housekeeping, also diagnostic messages and security improvements from @yossarian.net! github.com/pypa/gh-acti... / github.com/pypa/gh-acti... #python #Packaging

i went on tom, deirdre, and david's podcast and talked about PGP and encrypted email: securitycryptographywhatever.com/2025/08/22/s...

grape nuts is the only good cereal

PyPI now serves PEP 792 project statuses in its APIs. that means you can now programmatically check if a package is archived, quarantined, etc.! blog.pypi.org/posts/2025-0...

The Go 1.25 change I am most excited about is the new synctest package. How I think about it is as a way to deflake tests by simulating an infinitely fast processor (because time doesn’t move until all work is done), and then shorten them by compressing time (because time jumps once it moves).

Fun with finite state transducers https://blog.yossarian.net/2025/08/14/Fun-with-finite-state-transducers #devblog #programming #rust #zizmor

Today, we're announcing our first hosted infrastructure product: pyx, a Python-native package registry. We think of pyx as an optimized backend for uv: it’s a package registry, but it also solves problems that go beyond the scope of a traditional "package registry".

zizmor v1.12.0 is released! this release comes with one new audit (unsound-condition), support for auto-fixing three more finding classes, plus much more in the way of general enhancements and bug fixes. full details here: docs.zizmor.sh/release-note...

zizmor v1.11.0 is out! this release comes with experimental LSP support and an accompanying vscode extension: marketplace.visualstudio.com/items?itemNa... full release notes here: docs.zizmor.sh/release-note...

Do you want to find out more about how @grafana.bsky.social secures its GitHub actions using Zizmor? Check out this post from James on my team : grafana.com/blog/2025/06... @yossarian.net

zizmor v1.10.0 is released! this is a *huge* new release: it exposes a new (experimental) auto-fix mode, more precise subspanning for fixtures, as well as a brand new pedantic audit (anonymous-definition) read the full notes here: docs.zizmor.sh/release-note...

"Tuscolo2025h2, Tuscolo2026h1, and Tuscolo2026h2 have passed their compliance monitoring period and will be added to an upcoming version of Chrome." issues.chromium.org/issues/41669... The Geomys Certificate Transparency logs are on their way to become the first trusted Static CT API logs! 🎉

thank you @grafana.bsky.social for being a logo-level sponsor of zizmor! (and also thank you @mosi.bsky.social and other folks at Grafana who've been sending me patches -- the next few releases are going to have a lot of really great new features)

A new adventure https://blog.yossarian.net/2025/06/17/a-new-adventure #lifestyle

This is a piece I wrote with the Latacora team back in 2020 that came up today in light of the (yikes) OpenPGP.js bug. It's the best security advice I've given, and it includes a section that was lost in the migration from micro.blog. Stop using encrypted email. www.latacora.com/blog/2020/02...

Bypassing GitHub Actions policies in the dumbest way possible https://blog.yossarian.net/2025/06/11/github-actions-policies-dumb-bypass #security

pronouncing knicks like knish

i did an interview with Once a Maintainer about open source and supply chain security! onceamaintainer.substack.com/p/once-a-mai...

zizmor v1.8.0 is out! besides changes to the official website and org: * you can now use `ZIZMOR_CONFIG` to pass a config file, as an alternative to `--config` * index-style contexts no longer cause false positives in the `template-injection` audit read more here: docs.zizmor.sh/release-note...

I chatted with @yossarian.net about securing GitHub Actions with Zizmor I learned a ton, and given all the recent news about GitHub Actions, everyone should be looking at Zizmor opensourcesecurity.io/2025/2025-05...

Ho boy, I'm excited for @sethmlarson.dev and I to hit the main stage at #PyConUS 2025 us.pycon.org/2025/schedul... Sunday morning!

A Discord server and new GitHub organization for zizmor https://blog.yossarian.net/2025/05/07/zizmor-discord-server-github-org #security #oss #devblog #programming #rust #zizmor

my colleague @darkamaul.bsky.social has a new blog post on the @trailofbits.bsky.social blog about how we worked with @pypi.org's maintainers to slash test times on PyPI by over 80%: blog.trailofbits.com/2025/05/01/m...

i've released zizmor v1.6.0, with one new audit (forbidden-uses), one rewritten audit (unpinned-uses), a new output mode, and a whole bunch of bugfixes! read the full release notes here: woodruffw.github.io/zizmor/relea...

i'm very excited about this new work my team at @trailofbits is doing: we're building an ASN.1 API for PyCA Cryptography, giving users direct access to the same memory-safe, high-performance DER parser that Cryptography already uses for X.509: blog.trailofbits.com/2025/04/18/s...

TIL Any program can be a GitHub Actions shell yossarian.net/til/post/any...

hope this helps

it seems very weird to me that LSP is/was advertised as a solution to the NxM matrix problem in IDEs, but to use an LSP server in vscode you still need to write a custom extension ("LSP client") that only talks to your particular LSP server (other editors/IDEs seem to get this right, e.g. vim-lsp)

Check out @yossarian.net’s article on Zizmor, a vulnerability scanner for GitHub workflows! 🔎 It even catches actions pinned to impostor commits! (Don’t know what they are? They’re described earlier in the same issue!)

Learning about zizmor, a static analysis tool for GitHub Actions from @yossarian.net github.com/woodruffw/zi...

you can now archive projects on @pypi.org! this work was done by my teammate Facundo @trailofbits.bsky.social and is part of a larger multi-year arc of work dedicated to landing security and usability improvements on PyPI: blog.trailofbits.com/2025/01/30/p...

zizmor v1.2.0 is released! this release brings a new audit (bot-conditions), which can detect spoofable `github.actor` checks. it also brings bugfixes/accuracy improvements across the board! many thanks to astral.sh for being our first logo sponsor! notes here: woodruffw.github.io/zizmor/relea...

Be aware of the Makefile effect https://blog.yossarian.net/2025/01/10/Be-aware-of-the-Makefile-effect #programming

i'll be speaking at FOSDEM in the Security Devroom about zizmor and GitHub Actions security! details here: fosdem.org/2025/schedul... #fosdem #fosdem2025

Don't miss the sequel: adnanthekhan.com/2024/12/21/c... #github #infosec #cachepoisoning #supplychainsecurity #supplychainattack

zizmor 1.0 https://blog.yossarian.net/2025/01/02/zizmor-1-0 #security #oss #devblog #programming #rust

thank you to everyone who matched me, and especially to @filippo.abyssdomain.expert! together we raised just over $9830 USD for Anera, HIAS, ProPublica, and the PSF!

1735 * 5 = $8675 has been matched so far, leaving 265 * 5 = $1325! be one of the last few people to match me and @filippo.abyssdomain.expert! bsky.app/profile/yoss...

about 1200 * 5 = 6000 has been matched so far, leaving 800 * 5 = $4000 left! thanks to everybody who has matched me so far!

William is doing a donation drive for these charities: between him, his employer, and me, we’re matching donations up to $2000 four-fold to $10000. Send him receipts!

hi all, i'm doing another round of donations. i'm matching up to $2000 and my company and @filippo.abyssdomain.expert are graciously matching as well, so every $1 you donate gets quadrupled! charities in next post (1/2)

Last week the Python package "Ultralytics" suffered a supply-chain attack on its build and release process. This is a review of the attack from @pypi.org's perspective. There's plenty of advice for how Python projects can increase their #security posture: blog.pypi.org/posts/2024-1...

Thoroughly enjoyed this write up of the recent ultralytics compromise