AG Cook - Britpop = album of the decade & it's not close

Ooh I missed Brett Larson's PEP 770: "Improving measurability of Python packages with Software Bill-of-Materials" peps.python.org/pep-0770/ Repo: github.com/psf/sboms-fo... Forum post: SBOMs for Python packages discuss.python.org/t/sboms-for-...

Just renamed my blog post in progress from “Tokenless auth” (bland, respectable) to “Look PyPA, no tokens!” (niche, confusing, made me laugh)

Nodding calmly as the Claude status ticker gives terrifying visions of CI blast radii

Okay friends, new side quest! I've started a Python core development newsletter! If you've ever wanted a regular summary straight to your inbox about all the cool things happening in CPython (and adjacent areas), this is it! Like and subscribe! First edition, room to grow! 🌳

Learning about supply chain sec the moderately hard way (responsibly disclosing a false positive)

New PRT vuln campaign on GitHub Actions www.wiz.io/blog/six-acc...

Visualised the changing popularity of Python package dependencies over time (text mode courtesy pretext!) lmmx.github.io/clickpydeps/

Energy prices going negative still does not compute to me

IDK who needs to see this but: query to show all the table fields of all tables in the pypi ClickHouse metadata store sql.clickhouse.com?query=U0VMRU...

who called them AI agents and not performative mail

feeling down while reviewing a ton of GitHub issues and realising I’m experiencing FOMO for other people’s open source what is wrong with me

Sifting through bulk OR-chained keyword search results is an amazing way to learn about a topic in open source I gotta say

monitoring the Sichuanation

chardet license violation thread, quality github.com/chardet/char...

"I hope the team will pay attention to this despite the fact that OP's message was written with LLM assistance and could be accused of catastrophising." github.com/googleapis/p...

._. www.tomshardware.com/software/mic...

Absolutely stellar blog post from @sethmlarson.dev and @miketheman.com about the recent LiteLLM supply chain attack, and what you can do to protect your projects! Everyone should read this post (and sponsor their _very important_ work!) blog.pypi.org/posts/2026-0...

This (not very) Polish girl is going to Kraków! My talk about the very coolest feature in Python 3.14, sys.remote_exec(), got accepted at @europython.eu! We'll be doing a deep dive on savannah.dev/posts/the-co...! Can't wait!

nuts github.com/axios/axios/...

😭

✍️ Attestations — PEP 740 (William Woodruff, Facundo Tuesca and Dustin Ingram; sponsored by Donald Stufft, 2024) peps.python.org/pep-0740/

🛡️ Trusty Pub now has a home on the web! lmmx.github.io/trusty-pub/ I’ve really not used GitHub Pages in a minute but was ironically a fitting time to throw zizmor and other good practices in the repo as a demo Also has a (non-exhaustive!) reading list under the Resources tab 👓📖

Ooh setup-uv got immutable releases github.com/astral-sh/se...

I'm not saying Trusted Publishing ought to be the main differentiator when picking dependencies but I did just find rtoml this way... 🤔

Made a little triage app with FastAPI/HTMX to track any issues opened about Trusted Publishing on a repo 😁

That all actual scientific evidence to date supports the notion that the COVID pandemic was caused by at least 2 zoonotic jumps at the Huanan market 👀🌶️

Interesting thread on scipy moving to CI releases (with Trusted Publishing, natch) github.com/scipy/scipy/...

GitHub Actions dep locking is coming (GA in 6 months) github.blog/news-insight...

Obligatory plug for prek auto-update --cooldown-days for supply chain attack protection 😇 prek.j178.dev/cli/?h=auto#...

> API tokens are Macaroons wat discuss.python.org/t/new-oidc-p...

State-sponsored leftpad is now

Amazing hacks behind this pure-CSS blurhash implementation.

Unfortunate finding from this is that among the ‘ghost’ packages that no longer exist on PyPI, is one named ‘aaaaaaaaa’ which is being downloaded >1M times a month clickpy.clickhouse.com/dashboard/aa... The dev was suspended for flooding PyPI/npm with malware in 2021 www.sophos.com/en-us/blog/g...

I reached a point as a kid where I developed the basic aesthetic sensibility to how techniques in film (like a swelling orchestral score) signalled an expected emotional response, and feeling it was ‘too easy’, essentially grew out of it — likewise how I feel about LLM gen essays

Specifically the point I noticed this was written with Claude sockpuppet.org/blog/2026/03... > Looping over source files iterates the process. …thud

New fav sloperator metaphor: "people paying a lot of money to race around a track without crash helmets"

~20% of the top 15k PyPI packages now use Trusted Publishing github.com/lmmx/trusty-... In the top 💯 it's ~55%, and 40% for the top 1000 🔏 Trusted Publishing package subset github.com/lmmx/trusty-... 🔓 No TP subset github.com/lmmx/trusty-...

PuppyVaxx AI powered mRNA vaccines made FOR dogs / BY dogs (raising at $1B valuation)

Trivy post-mortem github.com/aquasecurity...

333 PyPI packages on the wall, 333 with unresolved Trusted Publishing status, take one down, review-pkg $(ls * | tr -d : | sort | tail -1), 332 PyPI packages on the wall

Never underestimate the power of being locked into a rhythmic work loop

Noticed you can check the Trusted Publishing status of a given package/version on PyPI by clicking 'View details' on the 'Download files' page

I wish I’d known the .pth trick sooner 😅 (e.g. Polars plugin loading can now be done without worrying about F401)

saw someone respond to an LLM trained on Victorian-era writings with "by trained you mean stolen?" some people are negatively polarizing themselves into intellectual property stances that would make Disney's lawyers blush

We have passed the TB Horizon

I'd think both litellm/telnyx SCAs could have been detected faster had someone been following the PyPI release feed and cross-referenced the upload signature of each (a user agent like indicator of Python version & upload tool) vs. its last known good one

MJ Rathbun arrives from the future

🥸 Fact-check: does uv `constraint-dependencies` protect against ghost packages like the removed litellm versions? 👻 No! I tried, and it does not exorcise the-ghost in this demo from one of PyPI’s top malware researchers with a removed ("ghost") package www.cert.at/en/blog/2026...