Tim Perry
@pimterry.fyi
Builder of https://httptoolkit.com (🦋 @httptoolkit.com), Node.js core collaborator, tech speaker, drummer, mountain biker and dad.
🇬🇧/🇨🇦 living in 🇪🇸
🇬🇧/🇨🇦 living in 🇪🇸
Interesting! I couldn't make this summit sadly so I missed that, tricky with timezones and travel this time around.
I appreciate the concerns about nuance on social media, fair enough. I'll keep an eye out for more detailed discussion, definitely interested to hear more about concerns here.
I appreciate the concerns about nuance on social media, fair enough. I'll keep an eye out for more detailed discussion, definitely interested to hear more about concerns here.
November 13, 2025 at 4:39 PM
Interesting! I couldn't make this summit sadly so I missed that, tricky with timezones and travel this time around.
I appreciate the concerns about nuance on social media, fair enough. I'll keep an eye out for more detailed discussion, definitely interested to hear more about concerns here.
I appreciate the concerns about nuance on social media, fair enough. I'll keep an eye out for more detailed discussion, definitely interested to hear more about concerns here.
Should cover CI attacks I would've thought? Even if an attacker triggers the publish job successfully, they'd hit the review block.
If a maintainer's GH account is cracked though it is indeed game over. Passkey-only 2FA for GH _mostly_ helps there, I think? Still not perfect.
If a maintainer's GH account is cracked though it is indeed game over. Passkey-only 2FA for GH _mostly_ helps there, I think? Still not perfect.
November 13, 2025 at 3:14 PM
Should cover CI attacks I would've thought? Even if an attacker triggers the publish job successfully, they'd hit the review block.
If a maintainer's GH account is cracked though it is indeed game over. Passkey-only 2FA for GH _mostly_ helps there, I think? Still not perfect.
If a maintainer's GH account is cracked though it is indeed game over. Passkey-only 2FA for GH _mostly_ helps there, I think? Still not perfect.
More safe for who?
As a publisher, it seems _mostly_ safer - more independent of my machine, lower risk of mistakes (e.g. including a file full of secrets, publishing the wrong content), much lower risk of phishing. Doesn't eliminate all risks, but improves things quite a bit.
As a publisher, it seems _mostly_ safer - more independent of my machine, lower risk of mistakes (e.g. including a file full of secrets, publishing the wrong content), much lower risk of phishing. Doesn't eliminate all risks, but improves things quite a bit.
November 13, 2025 at 3:06 PM
More safe for who?
As a publisher, it seems _mostly_ safer - more independent of my machine, lower risk of mistakes (e.g. including a file full of secrets, publishing the wrong content), much lower risk of phishing. Doesn't eliminate all risks, but improves things quite a bit.
As a publisher, it seems _mostly_ safer - more independent of my machine, lower risk of mistakes (e.g. including a file full of secrets, publishing the wrong content), much lower risk of phishing. Doesn't eliminate all risks, but improves things quite a bit.
No. If you want to gate it though, you can set it up to require separate manual confirmation in the GitHub UI, by linking it to an environment with 'Required Reviewers' set: docs.github.com/en/actions/h...
Can also be limited to specific branches or tag patterns.
Can also be limited to specific branches or tag patterns.
Reviewing deployments - GitHub Docs
You can approve or reject jobs awaiting review.
docs.github.com
November 13, 2025 at 3:01 PM
No. If you want to gate it though, you can set it up to require separate manual confirmation in the GitHub UI, by linking it to an environment with 'Required Reviewers' set: docs.github.com/en/actions/h...
Can also be limited to specific branches or tag patterns.
Can also be limited to specific branches or tag patterns.
Windows arm before Linux arm? Bold choice.
November 7, 2025 at 10:38 PM
Windows arm before Linux arm? Bold choice.
In related news, it's Open Tech Week here (canodrom.barcelona/ca/opentechw...) with a selection events orbiting around Mozilla DevFest this coming weekend.
Anybody I know going to DevFest? TBC but I'm likely to be there on Friday.
Anybody I know going to DevFest? TBC but I'm likely to be there on Friday.
Open Tech Week
canodrom.barcelona
November 3, 2025 at 10:41 AM
In related news, it's Open Tech Week here (canodrom.barcelona/ca/opentechw...) with a selection events orbiting around Mozilla DevFest this coming weekend.
Anybody I know going to DevFest? TBC but I'm likely to be there on Friday.
Anybody I know going to DevFest? TBC but I'm likely to be there on Friday.
Surprises me more things don't do this tbh. Doesn't seem that hard to do with mdns etc, you can still have a cloud as well for tricky networks, non-local control or advanced features, but local-connectivity-where-possible gives you a huge boost to reliability _and_ drops your server load.
October 22, 2025 at 7:59 AM
Surprises me more things don't do this tbh. Doesn't seem that hard to do with mdns etc, you can still have a cloud as well for tricky networks, non-local control or advanced features, but local-connectivity-where-possible gives you a huge boost to reliability _and_ drops your server load.
Especially looking at stories like www.dexerto.com/entertainmen... I'd really love to see this lead to more IoT to prioritising local control instead of AWS-for-everything (or at least, local fallbacks).
AWS crash causes $2,000 Smart Beds to overheat and get stuck upright - Dexerto
The AWS outage caused chaos for owners of Eight Sleep’s Pod3 mattresses as they had no offline mode and were stuck at high temperatures.
www.dexerto.com
October 22, 2025 at 7:59 AM
Especially looking at stories like www.dexerto.com/entertainmen... I'd really love to see this lead to more IoT to prioritising local control instead of AWS-for-everything (or at least, local fallbacks).
And in terms of recovery, I just need to know the BitWarden password, and be able to get access to one of my yubikeys (there's a backup stashed away) or the backup-backup recovery codes, and I can always get back in.
October 16, 2025 at 3:14 PM
And in terms of recovery, I just need to know the BitWarden password, and be able to get access to one of my yubikeys (there's a backup stashed away) or the backup-backup recovery codes, and I can always get back in.
Security wise, I think that means nothing's accessible without access to both the physical key (=personally rob me) _and_ BitW login (=know the password or get yubikey+active session).
Hopefully this is hit-me-with-a-wrench-security equivalent, I think?
Hopefully this is hit-me-with-a-wrench-security equivalent, I think?
October 16, 2025 at 3:14 PM
Security wise, I think that means nothing's accessible without access to both the physical key (=personally rob me) _and_ BitW login (=know the password or get yubikey+active session).
Hopefully this is hit-me-with-a-wrench-security equivalent, I think?
Hopefully this is hit-me-with-a-wrench-security equivalent, I think?
End goal: all the passwords live in BitWarden, all 2FA runs via a Yubikey that lives on my keyring, all unphishable.
Login anywhere with a yubikey tap for BW, 2fa with another yubikey tap, done.
Login anywhere with a yubikey tap for BW, 2fa with another yubikey tap, done.
October 16, 2025 at 3:14 PM
End goal: all the passwords live in BitWarden, all 2FA runs via a Yubikey that lives on my keyring, all unphishable.
Login anywhere with a yubikey tap for BW, 2fa with another yubikey tap, done.
Login anywhere with a yubikey tap for BW, 2fa with another yubikey tap, done.
Excitingly I've just seen BitWarden employees hinting that they're adding unlock support in the extension etc with passkeys, which will polish the UX for all this very nicely.
October 16, 2025 at 3:14 PM
Excitingly I've just seen BitWarden employees hinting that they're adding unlock support in the extension etc with passkeys, which will polish the UX for all this very nicely.
Web Bluetooth but no WebUSB? IoT world is tragic right now, so many hardware devices tell me to install chrome for their setup processes (even my keyboard itself!)
October 14, 2025 at 9:58 PM
Web Bluetooth but no WebUSB? IoT world is tragic right now, so many hardware devices tell me to install chrome for their setup processes (even my keyboard itself!)
My kingdom for a world where hooks die and get replaced by something with less magic and more normal JS semantics 🙏
Classes had their issues, but at least they behaved the same way as all the rest of my codebase.
Classes had their issues, but at least they behaved the same way as all the rest of my codebase.
October 9, 2025 at 10:03 AM
My kingdom for a world where hooks die and get replaced by something with less magic and more normal JS semantics 🙏
Classes had their issues, but at least they behaved the same way as all the rest of my codebase.
Classes had their issues, but at least they behaved the same way as all the rest of my codebase.