@joshbressers@kurtseifried Listened to the latest episode, what you're describing about "actionable security by developers" is what my PyCon Taiwan keynote was about. One of the difficulties was providing things that developers (OSS and commercial) could do without approval or spending more time/funds.
Jay Miller (@kjaymiller) was on the Real Python podcast talking about starting international organizations and working with a non-profit. As always from Jay, a must-listen:
Hey maintainers! 👋 Tidelift has opened their annual survey for ✨ all open source maintainers ✨ (not just existing lifters!)
This isn't “just another survey”, the results inform Tidelift's roadmap for how to best get more money into maintainers hands and show that investing in open source dependencies means projects are better supported and more secure.
The survey takes around 5-10 minutes end-to-end to complete.
@webology Pinned dependencies is one of the metrics I'd consider to be actually helpful, usually trips on GitHub Workflows and pip commands not being pinned commits/hashes which for release workflows should be pinned. Test/quality workflows though probably are okay to be unpinned, hard to differentiate though.
"CII Best Practices" is a checklist of things that can never be automated, so yeah I don't love that metric.
There was already suspicion that LLMs generated a large batch of bogus CVEs not long ago. I suspect that CVE-2023-38898 which targeted #Python and wasn't reported to the Python Security Response Team was a part of that batch.
Now curl gets explicit proof that "security researchers" are submitting reports direct from an LLM without any double-checking. As if handling vulnerabilities wasn't hard enough for #OpenSource maintainers! 😡
:python: PSF Security Developer-in-Residence 🐍 I write about #Python, #opensource, #security, and the #internet 🖥 PSF Fellow ✨ Maintainer of packages like #urllib3 and Requests 📦 Minnesoootan, He/Him