William Woodruff (1.3.6.1.4.1.55738)
LightNews LightNews
banner
yossarian.net
William Woodruff (1.3.6.1.4.1.55738)
@yossarian.net
360 followers 65 following 160 posts
skeeting in accordance with the universal law.

yossarian.net / blog.yossarian.net
Posts Replies Media Videos
yossarian.net
TIL: Safari has built-in WebDriver support

yossarian.net/til/post/saf...
TIL: Safari has built-in WebDriver support
yossarian.net
October 6, 2025 at 12:32 AM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
All the world's developers are a toddler and X.509 is the neighbor's unfenced pool.
September 24, 2025 at 10:23 PM
yossarian.net
Dear GitHub: no YAML anchors, please
https://blog.yossarian.net/2025/09/22/dear-github-no-yaml-anchors
#programming #rant
September 22, 2025 at 2:32 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
mikemcquaid.com
Having met with both sides on the current RubyCentral/RubyGems situation, here's my take:

- RubyCentral have managed this exceptionally poorly in many ways including removing literally the most active member of the RubyGems organisation by mistake who has declined to return
September 19, 2025 at 7:04 PM
yossarian.net
maslow’s hierarchy of needs? yeah, I think I’ve heard of that somewhere before
September 15, 2025 at 8:04 PM
yossarian.net
One year of zizmor
https://blog.yossarian.net/2025/09/14/one-year-of-zizmor
#devblog #programming #rust #zizmor
September 14, 2025 at 1:10 PM
yossarian.net
finally learned what a "labubu" is from my local bodega. very helpful
September 10, 2025 at 6:23 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
webknjaz.me
Just cut a new release of `pypi-publish` v1.13.0!

It's got internal runtime update, housekeeping, also diagnostic messages and security improvements from @yossarian.net!

github.com/pypa/gh-acti... / github.com/pypa/gh-acti...

#python #Packaging
Release v1.13.0 · pypa/gh-action-pypi-publish
Take the 2025 Python Packaging Survey if you still haven't! Important🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @woodruffw💰. We've also integrated Zizmor to catch similar i...
github.com
September 4, 2025 at 1:52 AM
yossarian.net
i went on tom, deirdre, and david's podcast and talked about PGP and encrypted email:

securitycryptographywhatever.com/2025/08/22/s...
Stop Using Encrypted Email with William Woodruff
There was a bug in an OpenPGP library which finally gave us an excuse to tear encrypted email via PGP to shreds. Our special guest William Woodruff joined us...
securitycryptographywhatever.com
August 23, 2025 at 2:51 AM
yossarian.net
grape nuts is the only good cereal
August 17, 2025 at 12:56 AM
yossarian.net
PyPI now serves PEP 792 project statuses in its APIs. that means you can now programmatically check if a package is archived, quarantined, etc.!

blog.pypi.org/posts/2025-0...
PyPI now serves project status markers in API responses - The Python Package Index Blog
PyPI has implemented PEP 792, and is now serving project status markers in its standard HTML and JSON APIs.
blog.pypi.org
August 14, 2025 at 7:23 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
filippo.abyssdomain.expert
The Go 1.25 change I am most excited about is the new synctest package.

How I think about it is as a way to deflake tests by simulating an infinitely fast processor (because time doesn’t move until all work is done), and then shorten them by compressing time (because time jumps once it moves).
golang.org Go @golang.org · Aug 12
🎊 Go 1.25.0 is released!

📝 Release notes: https://go.dev/doc/go1.25

⬇️ Download: https://go.dev/dl/#go1.25.0

#golang
$ go install golang.org/dl/go1.25.0@latest $ go1.25.0 download Downloaded 0.0% ( 0 / 58130695 bytes) ... Downloaded 50.0% (29065347 / 58130695 bytes) ... Downloaded 100.0% (58130695 / 58130695 bytes) Unpacking go1.25.0.freebsd-arm.tar.gz ... Success. You may now run 'go1.25.0' $ go1.25.0 version go version go1.25.0 freebsd/arm
August 12, 2025 at 10:14 PM
yossarian.net
Fun with finite state transducers
https://blog.yossarian.net/2025/08/14/Fun-with-finite-state-transducers
#devblog #programming #rust #zizmor
August 14, 2025 at 4:53 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
crmarsh.com
Today, we're announcing our first hosted infrastructure product: pyx, a Python-native package registry.

We think of pyx as an optimized backend for uv: it’s a package registry, but it also solves problems that go beyond the scope of a traditional "package registry".
August 13, 2025 at 6:24 PM
yossarian.net
zizmor v1.12.0 is released!

this release comes with one new audit (unsound-condition), support for auto-fixing three more finding classes, plus much more in the way of general enhancements and bug fixes.

full details here:

docs.zizmor.sh/release-note...
Release Notes - zizmor
Abbreviated change notes about each zizmor release.
docs.zizmor.sh
August 13, 2025 at 4:13 PM
yossarian.net
zizmor v1.11.0 is out! this release comes with experimental LSP support and an accompanying vscode extension:

marketplace.visualstudio.com/items?itemNa...

full release notes here: docs.zizmor.sh/release-note...
June 30, 2025 at 7:33 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
joemcmanus.bsky.social
Do you want to find out more about how @grafana.bsky.social secures its GitHub actions using Zizmor? Check out this post from James on my team : grafana.com/blog/2025/06... @yossarian.net
How to detect vulnerable GitHub Actions at scale with Zizmor | Grafana Labs
In order to harden our infrastructure and pipelines, we have introduced the open source tool Zizmor into our CI/CD pipelines.
grafana.com
June 27, 2025 at 12:51 AM
yossarian.net
zizmor v1.10.0 is released!

this is a *huge* new release: it exposes a new (experimental) auto-fix mode, more precise subspanning for fixtures, as well as a brand new pedantic audit (anonymous-definition)

read the full notes here: docs.zizmor.sh/release-note...
Release Notes - zizmor
Abbreviated change notes about each zizmor release.
docs.zizmor.sh
June 26, 2025 at 6:42 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
filippo.abyssdomain.expert
"Tuscolo2025h2, Tuscolo2026h1, and Tuscolo2026h2 have passed their compliance monitoring period and will be added to an upcoming version of Chrome." issues.chromium.org/issues/41669...

The Geomys Certificate Transparency logs are on their way to become the first trusted Static CT API logs! 🎉
June 18, 2025 at 11:06 PM
yossarian.net
thank you @grafana.bsky.social for being a logo-level sponsor of zizmor!

(and also thank you @mosi.bsky.social and other folks at Grafana who've been sending me patches -- the next few releases are going to have a lot of really great new features)
June 18, 2025 at 4:14 PM
yossarian.net
A new adventure
https://blog.yossarian.net/2025/06/17/a-new-adventure
#lifestyle
June 17, 2025 at 3:57 PM
Reposted by William Woodruff (1.3.6.1.4.1.55738)
sockpuppet.org
This is a piece I wrote with the Latacora team back in 2020 that came up today in light of the (yikes) OpenPGP.js bug. It's the best security advice I've given, and it includes a section that was lost in the migration from micro.blog.

Stop using encrypted email.

www.latacora.com/blog/2020/02...
Stop Using Encrypted Email
Stop Using Encrypted Email
www.latacora.com
June 10, 2025 at 7:36 PM
yossarian.net
Bypassing GitHub Actions policies in the dumbest way possible
https://blog.yossarian.net/2025/06/11/github-actions-policies-dumb-bypass
#security
June 11, 2025 at 2:02 PM
yossarian.net
pronouncing knicks like knish
June 7, 2025 at 12:27 AM
yossarian.net
i did an interview with Once a Maintainer about open source and supply chain security!

onceamaintainer.substack.com/p/once-a-mai...
Once a Maintainer: William Woodruff
The security engineer on meeting engineers where they are, and what keeps him up at night
onceamaintainer.substack.com
May 21, 2025 at 4:00 PM