Phil Elson
@pelson.bsky.social
Scientific Python engineer & problem solver. Builder of communities and tools, including SciTools (Iris, cartopy), conda-forge, and former maintainer of matplotlib. Working on accelerator controls at CERN.
Is this a core GitHub actions infra vulnerability, or for specific actions which were using the branch name insecurely?
December 6, 2024 at 7:48 AM
Is this a core GitHub actions infra vulnerability, or for specific actions which were using the branch name insecurely?
Find it humourous too. The "MLWP" singularity is when we can rely on them for analysing the output as well as generating it... That is when it gets super interesting IMO. For now, I think the only (huge) win is in the speed of the models vs NWP - we will still need NWP research for the foreseeable.
December 5, 2024 at 10:14 AM
Find it humourous too. The "MLWP" singularity is when we can rely on them for analysing the output as well as generating it... That is when it gets super interesting IMO. For now, I think the only (huge) win is in the speed of the models vs NWP - we will still need NWP research for the foreseeable.
Sounds like there is a (security) problem with wheel unpacking if you can write outside of the cache root?
November 13, 2024 at 7:56 PM
Sounds like there is a (security) problem with wheel unpacking if you can write outside of the cache root?
👋 I'm a scientific Python engineer & general problem solver. I seem to have some success building open-source communities and tools, including conda-forge and SciTools (notably Iris, cartopy, cf-units), and I was previously a maintainer of matplotlib. Bringing Python to accelerator controls at CERN.
November 12, 2024 at 12:59 PM
I agree. Lock files are good from a reproducibility POV, but there isn't an obvious functional improvement on a simple timestamp. I have a prototype which allows you to run a package repo server with the equivalent uv functionality for this reason (like pypi-timemachine, but in the general case)
November 12, 2024 at 12:44 PM
I agree. Lock files are good from a reproducibility POV, but there isn't an obvious functional improvement on a simple timestamp. I have a prototype which allows you to run a package repo server with the equivalent uv functionality for this reason (like pypi-timemachine, but in the general case)