William Woodruff (1.3.6.1.4.1.55738)
LightNews LightNews
banner
yossarian.net
William Woodruff (1.3.6.1.4.1.55738)
@yossarian.net
390 followers 65 following 170 posts
skeeting in accordance with the universal law.

yossarian.net / blog.yossarian.net
Posts Replies Media Videos
yossarian.net
Some flexibility with Go’s sumdb
https://blog.yossarian.net/2025/12/29/Some-flexibility-with-Go-s-sumdb
#security #go #cryptography
December 29, 2025 at 3:35 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
filippo.abyssdomain.expert
At the gpg.fail talk and omg #39c3

You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message.

Won’t even blame PGP here. C is unsafe at any speed.

gpg has not fixed it yet.
December 27, 2025 at 4:31 PM
yossarian.net
TIL: serde's borrowing can be treacherous

yossarian.net/til/post/ser...
TIL: serde's borrowing can be treacherous
yossarian.net
December 25, 2025 at 10:01 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
gankra.bsky.social
so pumped for the ty beta to finally be here, we did so much great work it rules! astral.sh/blog/ty
ty: An extremely fast Python type checker and language server
ty is an extremely fast Python type checker and language server, written in Rust, and designed as an alternative to mypy, Pyright, and Pylance.
astral.sh
December 16, 2025 at 9:03 PM
yossarian.net
Dependency cooldowns, redux
https://blog.yossarian.net/2025/12/13/cooldowns-redux
#security #oss
December 13, 2025 at 4:56 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
francoisbest.com
I've been SHA-1 pinning ever since I started using GitHub Actions, but I didn't think of transitive (compound) actions, which can use unpinned sub-actions. This is fine 🔥🐶☕🔥

Time to setup zizmor.sh by @yossarian.net for automated scanning, I've had it in my "tools to try" list for a bit.
GitHub Actions Has a Package Manager, and It Might Be the Worst
GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning
nesbitt.io
December 8, 2025 at 12:06 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
sethmlarson.dev
ICYMI, we want your #security talks at #PyConUS 🤩 CFP closes December 19th

#python #supplychain #opensource #oss

pycon.blogspot.com/2025/11/trai...
Join us in “Trailblazing Python Security” at PyCon US 2026
PyCon US 2026 is coming to Long Beach, California ! PyCon US is the premiere conference for the Python programming language in North Americ...
pycon.blogspot.com
December 1, 2025 at 3:55 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
acyphus.lol
I'm a big fan of zizmor.sh by
@yossarian.net to provide static analysis of GitHub Actions workflows as I'm working on them. The remediation advice is also top notch, for `pull_request_target` as an example: docs.zizmor.sh/audits/#dang...
zizmor - Static Analysis for GitHub Actions
Find and fix potential vulnerabilities in your GitHub workflows and action definitions with zizmor's powerful static analysis.
zizmor.sh
December 1, 2025 at 3:59 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
miketheman.com
There's a nasty #OpenSource #SupplyChain worm going around named Shai-Hulud. It's also capable of exposing some projects' long-lived PyPI API Tokens. Read more on what's happening, and what you can do to protect your projects.

TL,DR: Adopt Trusted Publishing 🔐🚀📦

blog.pypi.org/posts/2025-1...
PyPI and Shai-Hulud: Staying Secure Amid Emerging Threats - The Python Package Index Blog
Shai-Hulud is a great worm, not yet a snake. Attack on npm ecosystem may have implications for PyPI.
blog.pypi.org
November 26, 2025 at 9:02 PM
yossarian.net
We should all be using dependency cooldowns
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
#security #oss
November 21, 2025 at 2:45 PM
yossarian.net
TIL: Safari has built-in WebDriver support

yossarian.net/til/post/saf...
TIL: Safari has built-in WebDriver support
yossarian.net
October 6, 2025 at 12:32 AM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
All the world's developers are a toddler and X.509 is the neighbor's unfenced pool.
September 24, 2025 at 10:23 PM
yossarian.net
Dear GitHub: no YAML anchors, please
https://blog.yossarian.net/2025/09/22/dear-github-no-yaml-anchors
#programming #rant
September 22, 2025 at 2:32 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
mikemcquaid.com
Having met with both sides on the current RubyCentral/RubyGems situation, here's my take:

- RubyCentral have managed this exceptionally poorly in many ways including removing literally the most active member of the RubyGems organisation by mistake who has declined to return
September 19, 2025 at 7:04 PM
yossarian.net
maslow’s hierarchy of needs? yeah, I think I’ve heard of that somewhere before
September 15, 2025 at 8:04 PM
yossarian.net
One year of zizmor
https://blog.yossarian.net/2025/09/14/one-year-of-zizmor
#devblog #programming #rust #zizmor
September 14, 2025 at 1:10 PM
yossarian.net
finally learned what a "labubu" is from my local bodega. very helpful
September 10, 2025 at 6:23 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
webknjaz.me
Just cut a new release of `pypi-publish` v1.13.0!

It's got internal runtime update, housekeeping, also diagnostic messages and security improvements from @yossarian.net!

github.com/pypa/gh-acti... / github.com/pypa/gh-acti...

#python #Packaging
Release v1.13.0 · pypa/gh-action-pypi-publish
Take the 2025 Python Packaging Survey if you still haven't! Important🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @woodruffw💰. We've also integrated Zizmor to catch similar i...
github.com
September 4, 2025 at 1:52 AM
yossarian.net
i went on tom, deirdre, and david's podcast and talked about PGP and encrypted email:

securitycryptographywhatever.com/2025/08/22/s...
Stop Using Encrypted Email with William Woodruff
There was a bug in an OpenPGP library which finally gave us an excuse to tear encrypted email via PGP to shreds. Our special guest William Woodruff joined us...
securitycryptographywhatever.com
August 23, 2025 at 2:51 AM
yossarian.net
grape nuts is the only good cereal
August 17, 2025 at 12:56 AM
yossarian.net
PyPI now serves PEP 792 project statuses in its APIs. that means you can now programmatically check if a package is archived, quarantined, etc.!

blog.pypi.org/posts/2025-0...
PyPI now serves project status markers in API responses - The Python Package Index Blog
PyPI has implemented PEP 792, and is now serving project status markers in its standard HTML and JSON APIs.
blog.pypi.org
August 14, 2025 at 7:23 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
filippo.abyssdomain.expert
The Go 1.25 change I am most excited about is the new synctest package.

How I think about it is as a way to deflake tests by simulating an infinitely fast processor (because time doesn’t move until all work is done), and then shorten them by compressing time (because time jumps once it moves).
golang.org Go @golang.org · Aug 12
🎊 Go 1.25.0 is released!

📝 Release notes: https://go.dev/doc/go1.25

⬇️ Download: https://go.dev/dl/#go1.25.0

#golang
$ go install golang.org/dl/go1.25.0@latest $ go1.25.0 download Downloaded 0.0% ( 0 / 58130695 bytes) ... Downloaded 50.0% (29065347 / 58130695 bytes) ... Downloaded 100.0% (58130695 / 58130695 bytes) Unpacking go1.25.0.freebsd-arm.tar.gz ... Success. You may now run 'go1.25.0' $ go1.25.0 version go version go1.25.0 freebsd/arm
August 12, 2025 at 10:14 PM
yossarian.net
Fun with finite state transducers
https://blog.yossarian.net/2025/08/14/Fun-with-finite-state-transducers
#devblog #programming #rust #zizmor
August 14, 2025 at 4:53 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
crmarsh.com
Today, we're announcing our first hosted infrastructure product: pyx, a Python-native package registry.

We think of pyx as an optimized backend for uv: it’s a package registry, but it also solves problems that go beyond the scope of a traditional "package registry".
August 13, 2025 at 6:24 PM
yossarian.net
zizmor v1.12.0 is released!

this release comes with one new audit (unsound-condition), support for auto-fixing three more finding classes, plus much more in the way of general enhancements and bug fixes.

full details here:

docs.zizmor.sh/release-note...
Release Notes - zizmor
Abbreviated change notes about each zizmor release.
docs.zizmor.sh
August 13, 2025 at 4:13 PM