Notices by Seth Michael Larson (sethmlarson@fosstodon.org)

Looks like @ambv seems to be looking for type-hints allies in the last episode of core.py podcast, let it be known that I type-annotate throwaway Python scripts 😊 PyCharm makes it so easy!

Congrats Matt Greer for solving software distribution! E-Reader card with Solitaire delivered in an envelope by mail earlier today. Love it! 😍 (https://retrodotcards.com)

#gameboy #gba #retrogaming

Finding a vendor-neutral description of SBOMs that isn't enterprisey challenge. Difficulty level: IMPOSSIBLE

Migrating from Omnivore to Inoreader reminded me to not trap my efforts to annotate articles and feeds in a service, even one that I pay for. I started regularly dumping this info into OPML and using that data to generate my blogroll page:

https://sethmlarson.dev/links

Sentry putting their money where their mouth is, and a teaser for @ecosystems and @opencollective cross-over project too? This is awesome!

https://blog.sentry.io/we-just-gave-750-000-dollars-to-open-source-maintainers/

Today is my 5-year blog-iversary! 😊 Writing had a positive impact on my life, I would love to see more people writing and sharing on the internet. I wrote a few pieces of advice for new prospective writers:

https://sethmlarson.dev/writing-for-the-internet

PEP 761 has been accepted by the Steering Council, CPython 3.14 and onwards won't provide PGP signatures:

This is a win for Python release managers who volunteer their time for the #Python community for 7+ years. Thanks to all past and current release managers 💜

https://peps.python.org/pep-0761/

I'm working on Software Bill-of-Materials (SBOM) and attempting to solve the "phantom dependency" problem for Python packages.

As always, I try to work in public, so if you'd like to follow along you can do so:

https://discuss.python.org/t/sboms-for-python-packages-project/70261

#python #security #sbom #supplychain

@baconandcoconut Jealous! The scariest I get are Packers fans 👎

lottiefiles/lottie-player on NPM just yesterday had its publishing API tokens stolen and used to publish malware.

If you're using API tokens to publish to @pypi from GitHub Actions, GitLab CI/CD, Google Cloud Build, or ActiveState: please upgrade to Trusted Publishers to prevent these sorts of attacks.

#security #oss #opensource #python

https://docs.pypi.org/trusted-publishers/

As someone who works with networks, this is a super helpful tool for offline testing. Thanks @yossarian for sharing with me!

https://github.com/trailofbits/eatmynetwork

For the fellow tinned-fish enjoyers: Fishwife is running a 20% sale for Prime Day. Good time to stock up! 😋

@joshbressers @kurtseifried Listened to the latest episode, what you're describing about "actionable security by developers" is what my PyCon Taiwan keynote was about. One of the difficulties was providing things that developers (OSS and commercial) could do without approval or spending more time/funds.

Really cool seeing this new HTTP standard, I bet it'll help a lot for large resources like video and pictures.

https://datatracker.ietf.org/doc/draft-ietf-httpbis-compression-dictionary/

I discussed a similar idea on my blog without knowing about all the efforts to standardize it:

https://sethmlarson.dev/http-header-compression#allow-origins-to-manage-their-own-static-table

This is the kind of EV tech I'm rooting for: https://restofworld.org/2024/electric-vehicle-conversions-uruguay/

Jay Miller (@kjaymiller) was on the Real Python podcast talking about starting international organizations and working with a non-profit. As always from Jay, a must-listen:

https://fosstodon.org/@realpython/112931985985137144

Hey maintainers! 👋 Tidelift has opened their annual survey for ✨ all open source maintainers ✨ (not just existing lifters!)

This isn't “just another survey”, the results inform Tidelift's roadmap for how to best get more money into maintainers hands and show that investing in open source dependencies means projects are better supported and more secure.

The survey takes around 5-10 minutes end-to-end to complete.

https://tidelift.az1.qualtrics.com/jfe/form/SV_8cfOxXluZDsXrrE

@webology Pinned dependencies is one of the metrics I'd consider to be actually helpful, usually trips on GitHub Workflows and pip commands not being pinned commits/hashes which for release workflows should be pinned. Test/quality workflows though probably are okay to be unpinned, hard to differentiate though.

"CII Best Practices" is a checklist of things that can never be automated, so yeah I don't love that metric.

urllib3, #Python's most-used HTTP client library, is fundraising to add HTTP/2 support and ensure long-term sustainability of the project.

Retoots and shares are appreciated 🙏

https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support

There was already suspicion that LLMs generated a large batch of bogus CVEs not long ago. I suspect that CVE-2023-38898 which targeted #Python and wasn't reported to the Python Security Response Team was a part of that batch.

Now curl gets explicit proof that "security researchers" are submitting reports direct from an LLM without any double-checking. As if handling vulnerabilities wasn't hard enough for #OpenSource maintainers! 😡

https://hackerone.com/reports/2199174