Mike Fiedler
@miketheman.com
Code Gardener. Wrangler of the Unusual. Roller Derby referee. AWS Hero. PyPI Maintainer. Shakshuka lover. he/him
https://miketheman.dev
https://miketheman.dev
New @pypi.org blog
TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- @gitlab.com Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!
#Python #SupplyChain #Security
Read it here: blog.pypi.org/posts/2025-1...
TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- @gitlab.com Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!
#Python #SupplyChain #Security
Read it here: blog.pypi.org/posts/2025-1...
Trusted Publishing is popular, now for GitLab Self-Managed and Organizations - The Python Package Index Blog
Expansion of Trusted Publishers feature for more impact
blog.pypi.org
November 10, 2025 at 8:08 PM
New @pypi.org blog
TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- @gitlab.com Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!
#Python #SupplyChain #Security
Read it here: blog.pypi.org/posts/2025-1...
TL, DR:
- Trusted Publishing used for 25% of all files uploaded in Oct 2025
- @gitlab.com Self-Managed now in beta
- Pending Publishers can be added for Organizations, too!
#Python #SupplyChain #Security
Read it here: blog.pypi.org/posts/2025-1...
Reposted by Mike Fiedler
As the PSF heads into our end-of-year fundraiser this month, we want to “connect the dots” and share a full picture of our current financial outlook: what’s happening, why, and how you can help sustain the future of Python and the PSF. 🧵
Connecting the Dots: Understanding the PSF’s Current Financial Outlook
As the PSF heads into our end-of-year fundraiser, we want to share information to help “connect the dots” and show a more complete picture of the PSF’s current financial outlook. You’ve heard from us on subjects related to our financial position from several different angles recently (a list of those posts is below). We’ve prioritized proactive communications, because we believe in transparency, we have trust in our community, and we value keeping you informed— we know how invested in and impacted by our work you are. We now want to pull those threads together in order to create some shared clarity on the big picture, and, hopefully, inspire you to action to support our fundraising efforts.
pyfound.blogspot.com
November 4, 2025 at 12:12 PM
As the PSF heads into our end-of-year fundraiser this month, we want to “connect the dots” and share a full picture of our current financial outlook: what’s happening, why, and how you can help sustain the future of Python and the PSF. 🧵
Reposted by Mike Fiedler
Archive formats like ZIP and tar can be abused to undermine the integrity of Python package users 📦 Learn how PSF Developer-in-Residence Seth Larson is strengthening Python's security with the #Python community in the new white paper "Slippery ZIPs and Sticky tar-pits" with Alpha-Omega:
Improving security and integrity of Python package archives
Security and integrity of the Python packaging ecosystem is critical, and the smallest unit of a packaging ecosystem is a "package". Python packages use existing archive formats like ZIP and tar to distribute Python projects to their users. Archives seem simple on the surface, but many ZIP and tar features can be abused to confuse implementations into seeing different contents of the same archive.
pyfound.blogspot.com
October 30, 2025 at 3:12 PM
Archive formats like ZIP and tar can be abused to undermine the integrity of Python package users 📦 Learn how PSF Developer-in-Residence Seth Larson is strengthening Python's security with the #Python community in the new white paper "Slippery ZIPs and Sticky tar-pits" with Alpha-Omega:
Software is hard.
Context: SFO to EWR (I hope!!!)
Context: SFO to EWR (I hope!!!)
October 30, 2025 at 5:26 PM
Software is hard.
Context: SFO to EWR (I hope!!!)
Context: SFO to EWR (I hope!!!)
This is a great read on how much (or little!) goes into making PyPI a resource most folks don't have to think heavily about, like many utilities or public works.
What have you done this year to #OpenSource sustainable?
What have you done this year to #OpenSource sustainable?
PyPI serves billions of requests daily- but sustaining it isn’t free. The PSF joined the OpenSSF & others in calling for organizations to invest in sustainable open infrastructure. Learn what this means for #PyPI, the PSF, & how our community can pitch in:
Open Infrastructure is Not Free: PyPI, the Python Software Foundation, and Sustainability
In September, the Python Software Foundation (PSF) co-signed the Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship Letter published by the Open Source Security Foundation (OpenSSF) as a steward of the Python Package Index (PyPI). As a follow up, I would like to share a bit more about the concerns expressed in this letter as they relate to our community and the PSF.
pyfound.blogspot.com
October 29, 2025 at 2:23 PM
This is a great read on how much (or little!) goes into making PyPI a resource most folks don't have to think heavily about, like many utilities or public works.
What have you done this year to #OpenSource sustainable?
What have you done this year to #OpenSource sustainable?
Reposted by Mike Fiedler
Hearts at the PSF are full today from the responses about the recent grant turn down news we shared. All of your kind words of support & solidarity, as well as your donations & new memberships, mean the world to us. We're so grateful to be in community with each of you 💛🐍💙
TLDR; The PSF has made the decision to put our community and our shared diversity, equity, and inclusion values ahead of seeking $1.5M in new revenue. Please read and share. pyfound.blogspot.com/2025/10/NSF-...
🧵
🧵
The official home of the Python Programming Language
www.python.org
October 28, 2025 at 7:04 PM
Hearts at the PSF are full today from the responses about the recent grant turn down news we shared. All of your kind words of support & solidarity, as well as your donations & new memberships, mean the world to us. We're so grateful to be in community with each of you 💛🐍💙
On my way to #GitHubUniverse - anyone I know going to be there as well?
October 26, 2025 at 12:33 PM
On my way to #GitHubUniverse - anyone I know going to be there as well?
Dunno who or how, but the feature in @brew.sh CLI to display a spinner during downloads instead of a wide progress bar is a nice little improvement.
It might have been there for a while, I only noticed it today.
Thanks for doing what you do in #OpenSource!
It might have been there for a while, I only noticed it today.
Thanks for doing what you do in #OpenSource!
October 24, 2025 at 2:08 PM
Dunno who or how, but the feature in @brew.sh CLI to display a spinner during downloads instead of a wide progress bar is a nice little improvement.
It might have been there for a while, I only noticed it today.
Thanks for doing what you do in #OpenSource!
It might have been there for a while, I only noticed it today.
Thanks for doing what you do in #OpenSource!
Reposted by Mike Fiedler
Check out this post by @diegor.it about the latest CPython sprint! We send a special thanks to Arm for hosting the event and investing in the future of #Python 💛🐍💙 pyfound.blogspot.com/2025/10/cpyt...
CPython Core Dev Sprint 2025 at Arm Cambridge: The biggest one yet
pyfound.blogspot.com
October 20, 2025 at 4:46 PM
Check out this post by @diegor.it about the latest CPython sprint! We send a special thanks to Arm for hosting the event and investing in the future of #Python 💛🐍💙 pyfound.blogspot.com/2025/10/cpyt...
Does your org run a self-managed version of @gitlab.com and publish your own #Python packages to @pypi.org ?
If you want to try out an alpha of Trusted Publishing for GitLab Self-Managed instances, let me know via DM - I'm collecting interest now, and should have something to show soon.
If you want to try out an alpha of Trusted Publishing for GitLab Self-Managed instances, let me know via DM - I'm collecting interest now, and should have something to show soon.
October 14, 2025 at 2:14 PM
Does your org run a self-managed version of @gitlab.com and publish your own #Python packages to @pypi.org ?
If you want to try out an alpha of Trusted Publishing for GitLab Self-Managed instances, let me know via DM - I'm collecting interest now, and should have something to show soon.
If you want to try out an alpha of Trusted Publishing for GitLab Self-Managed instances, let me know via DM - I'm collecting interest now, and should have something to show soon.
Maybe the friction involved in starting a fresh project helped forestall creating net new things all the time and inspired us to look for existing solutions, and potentially extend/contribute to them.
With the ability to quickly imagine your idea into reality, are we in a new era of software slop?
With the ability to quickly imagine your idea into reality, are we in a new era of software slop?
October 12, 2025 at 9:24 PM
Maybe the friction involved in starting a fresh project helped forestall creating net new things all the time and inspired us to look for existing solutions, and potentially extend/contribute to them.
With the ability to quickly imagine your idea into reality, are we in a new era of software slop?
With the ability to quickly imagine your idea into reality, are we in a new era of software slop?
Clear, and to the point. Great way to think about your career, from @danielleheberling.xyz
danielleheberling.xyz/blog/time-to...
danielleheberling.xyz/blog/time-to...
Should I Stay or Should I Go? | Danielle's Blog
A framework for deciding when it's time to leave your current company, based on evaluating what you're building, who you're working with, and the technology you use.
danielleheberling.xyz
October 8, 2025 at 1:31 PM
Clear, and to the point. Great way to think about your career, from @danielleheberling.xyz
danielleheberling.xyz/blog/time-to...
danielleheberling.xyz/blog/time-to...
Reposted by Mike Fiedler
Just released! 🚀
Please install and enjoy Python 3.14! 🥧
discuss.python.org/t/python-3-1...
#Python #Python314 #release
Please install and enjoy Python 3.14! 🥧
discuss.python.org/t/python-3-1...
#Python #Python314 #release
October 7, 2025 at 2:29 PM
Just released! 🚀
Please install and enjoy Python 3.14! 🥧
discuss.python.org/t/python-3-1...
#Python #Python314 #release
Please install and enjoy Python 3.14! 🥧
discuss.python.org/t/python-3-1...
#Python #Python314 #release
I just backed Container on @kickstarter.com www.kickstarter.com/projects/boa...
Container, GRUNTZ, and Triangulation
Out of print for far too long—the legendary Container returns! + Discover GRUNTZ's sharp duels and Triangulation's witty word-guessing.
www.kickstarter.com
October 7, 2025 at 2:25 PM
I just backed Container on @kickstarter.com www.kickstarter.com/projects/boa...
The final two games for @gothamderby.bsky.social home season happened last night in Brooklyn. They were both really good games, and the championship game was a close, hard-fought nail-biter with some truly awesome displays of athleticism.
Support your local #rollerderby league!
Support your local #rollerderby league!
October 5, 2025 at 1:57 PM
The final two games for @gothamderby.bsky.social home season happened last night in Brooklyn. They were both really good games, and the championship game was a close, hard-fought nail-biter with some truly awesome displays of athleticism.
Support your local #rollerderby league!
Support your local #rollerderby league!
Attackers continue to find creative ways to expose credentials, often the first step in a larger scale supply chain attack.
A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:
Token Exfiltration Campaign via GitHub Actions Workflows - The Python Package Index Blog
Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your projects.
blog.pypi.org
September 26, 2025 at 12:53 PM
Attackers continue to find creative ways to expose credentials, often the first step in a larger scale supply chain attack.
Reposted by Mike Fiedler
The PSF joined the @openssf.org & others in signing “Open Infrastructure is Not Free.” Funding gaps in the open source industry mean critical infrastructure lacks support. Corporations benefiting from it must invest to sustain it.
Read more ➡️
Read more ➡️
September 23, 2025 at 2:57 PM
The PSF joined the @openssf.org & others in signing “Open Infrastructure is Not Free.” Funding gaps in the open source industry mean critical infrastructure lacks support. Corporations benefiting from it must invest to sustain it.
Read more ➡️
Read more ➡️
Cool to see @abc7ny.bsky.social do a short piece on password security, promoting second factor authentication. Progress!!
September 22, 2025 at 11:32 PM
Cool to see @abc7ny.bsky.social do a short piece on password security, promoting second factor authentication. Progress!!
Oh, Claude.
> Thanks for pushing back - you saved me from recommending a square peg for a round hole.
> Thanks for pushing back - you saved me from recommending a square peg for a round hole.
September 18, 2025 at 11:19 PM
Oh, Claude.
> Thanks for pushing back - you saved me from recommending a square peg for a round hole.
> Thanks for pushing back - you saved me from recommending a square peg for a round hole.
Reposted by Mike Fiedler
when @miketheman.com tells me how much data has been downloaded from PyPI this year
September 17, 2025 at 4:01 PM
when @miketheman.com tells me how much data has been downloaded from PyPI this year
Reposted by Mike Fiedler
We're excited to announce the results of the 2025 election for the PSF Board! Sending a big thank you to the nominees, our outgoing Board members, and our community for participating this year- we are so grateful to be in community with all of you 💙💛
Announcing the 2025 PSF Board Election Results!
The 2025 election for the PSF Board created an opportunity for conversations about the PSF's work to serve the global Python community. We appreciate community members' perspectives, passion, and engagement in the election process this year.
pyfound.blogspot.com
September 16, 2025 at 5:16 PM
We're excited to announce the results of the 2025 election for the PSF Board! Sending a big thank you to the nominees, our outgoing Board members, and our community for participating this year- we are so grateful to be in community with all of you 💙💛
An interesting read on pruning tests from a software stack.
As someone who enjoys the safety of tests and writes more, I believe the title would be improved a bit with the addition of "unhelpful", "unreliable", "poorly written", or something similar.
andre.arko.net/2025/06/30/y...
As someone who enjoys the safety of tests and writes more, I believe the title would be improved a bit with the addition of "unhelpful", "unreliable", "poorly written", or something similar.
andre.arko.net/2025/06/30/y...
You should delete tests
We’ve had decades of thought leadership around testing, especially coming from holistic development philosophies like Agile, TDD, and BDD. After all that time and several supposedly superseding moveme...
andre.arko.net
September 13, 2025 at 1:55 PM
An interesting read on pruning tests from a software stack.
As someone who enjoys the safety of tests and writes more, I believe the title would be improved a bit with the addition of "unhelpful", "unreliable", "poorly written", or something similar.
andre.arko.net/2025/06/30/y...
As someone who enjoys the safety of tests and writes more, I believe the title would be improved a bit with the addition of "unhelpful", "unreliable", "poorly written", or something similar.
andre.arko.net/2025/06/30/y...
Attending @fastly.com Xcelerate today, hoping to learn about what is coming up next
#XNYC #FastForward
#XNYC #FastForward
September 10, 2025 at 1:40 PM
Attending @fastly.com Xcelerate today, hoping to learn about what is coming up next
#XNYC #FastForward
#XNYC #FastForward
I was honored to be on a panel of really smart people, talking about developer platforms / platform engineering teams.
Thanks @cloudiamo.com and @infoq.com for the opportunity!
Thanks @cloudiamo.com and @infoq.com for the opportunity!
𝐖𝐡𝐚𝐭 𝐝𝐨𝐞𝐬 𝐢𝐭 𝐭𝐚𝐤𝐞 𝐭𝐨 𝐚𝐫𝐜𝐡𝐢𝐭𝐞𝐜𝐭 𝐚 𝐬𝐮𝐜𝐜𝐞𝐬𝐬𝐟𝐮𝐥 #𝐈𝐧𝐭𝐞𝐫𝐧𝐚𝐥𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐞𝐫𝐏𝐥𝐚𝐭𝐟𝐨𝐫𝐦?
In this #InfoQ virtual panel, eng leaders share:
🔹 Key patterns & anti-patterns
🔹 Lessons learned from real-world platforms
🔹 How to balance standardization with developer autonomy
▶️ Watch now: bit.ly/4lZWVNu
#bestpractices
In this #InfoQ virtual panel, eng leaders share:
🔹 Key patterns & anti-patterns
🔹 Lessons learned from real-world platforms
🔹 How to balance standardization with developer autonomy
▶️ Watch now: bit.ly/4lZWVNu
#bestpractices
September 7, 2025 at 5:31 PM
I was honored to be on a panel of really smart people, talking about developer platforms / platform engineering teams.
Thanks @cloudiamo.com and @infoq.com for the opportunity!
Thanks @cloudiamo.com and @infoq.com for the opportunity!
Reposted by Mike Fiedler
ATTN PSF Voting Members: The 2025 PSF Board election vote is open now until September 16th! If you affirmed your intention to vote in this year's election, or voted last year, you should have an email with voting instructions 🗳️ Learn more on our blog:
Python Software Foundation News
pyfound.blogspot.com
September 2, 2025 at 2:04 PM
ATTN PSF Voting Members: The 2025 PSF Board election vote is open now until September 16th! If you affirmed your intention to vote in this year's election, or voted last year, you should have an email with voting instructions 🗳️ Learn more on our blog: