Notices by Seth Larson (sethmlarson@fosstodon.org), page 2

We have an /extremely serious/ Pikmin Bloom group, and we are very excited for community week 🤩 The amount of strategization is so great.

For PEP writers using #PyCharm: Settings > Code Style > General > Visual guides for Columns (80)

Published a visualization for my proposal on SBOM data for Python packages. Take a look and share comments or questions!

#security #python #sbom #supplychain

https://sethmlarson.dev/visualizing-the-python-package-sbom-data-flow

My work on supply-chain security has only been possible through the "Developers-in-Residence" program at the Python Software Foundation.

Security work is unlikely to be anyone's favorite thing to do with #Python, my job is to do that work! Consider me Python's security janitor 🧼🫧🧽

You can support my mission! 🚀 The PSF is hosting its end-of-year fundraiser where direct donations go to lovely programs like the Developers-in-Residence. Thank you for your consideration.

https://www.python.org/psf/donations/2024-q4-drive/

Idle thought, what if Python typing allowed this?

dict[str, any]

🤔

Looks like @ambv seems to be looking for type-hints allies in the last episode of core.py podcast, let it be known that I type-annotate throwaway Python scripts 😊 PyCharm makes it so easy!

Congrats Matt Greer for solving software distribution! E-Reader card with Solitaire delivered in an envelope by mail earlier today. Love it! 😍 (https://retrodotcards.com)

#gameboy #gba #retrogaming

Finding a vendor-neutral description of SBOMs that isn't enterprisey challenge. Difficulty level: IMPOSSIBLE

Migrating from Omnivore to Inoreader reminded me to not trap my efforts to annotate articles and feeds in a service, even one that I pay for. I started regularly dumping this info into OPML and using that data to generate my blogroll page:

https://sethmlarson.dev/links

Sentry putting their money where their mouth is, and a teaser for @ecosystems and @opencollective cross-over project too? This is awesome!

https://blog.sentry.io/we-just-gave-750-000-dollars-to-open-source-maintainers/

Today is my 5-year blog-iversary! 😊 Writing had a positive impact on my life, I would love to see more people writing and sharing on the internet. I wrote a few pieces of advice for new prospective writers:

https://sethmlarson.dev/writing-for-the-internet

PEP 761 has been accepted by the Steering Council, CPython 3.14 and onwards won't provide PGP signatures:

This is a win for Python release managers who volunteer their time for the #Python community for 7+ years. Thanks to all past and current release managers 💜

https://peps.python.org/pep-0761/

I'm working on Software Bill-of-Materials (SBOM) and attempting to solve the "phantom dependency" problem for Python packages.

As always, I try to work in public, so if you'd like to follow along you can do so:

https://discuss.python.org/t/sboms-for-python-packages-project/70261

#python #security #sbom #supplychain

@baconandcoconut Jealous! The scariest I get are Packers fans 👎

lottiefiles/lottie-player on NPM just yesterday had its publishing API tokens stolen and used to publish malware.

If you're using API tokens to publish to @pypi from GitHub Actions, GitLab CI/CD, Google Cloud Build, or ActiveState: please upgrade to Trusted Publishers to prevent these sorts of attacks.

#security #oss #opensource #python

https://docs.pypi.org/trusted-publishers/

As someone who works with networks, this is a super helpful tool for offline testing. Thanks @yossarian for sharing with me!

https://github.com/trailofbits/eatmynetwork

For the fellow tinned-fish enjoyers: Fishwife is running a 20% sale for Prime Day. Good time to stock up! 😋

@joshbressers @kurtseifried Listened to the latest episode, what you're describing about "actionable security by developers" is what my PyCon Taiwan keynote was about. One of the difficulties was providing things that developers (OSS and commercial) could do without approval or spending more time/funds.

Really cool seeing this new HTTP standard, I bet it'll help a lot for large resources like video and pictures.

https://datatracker.ietf.org/doc/draft-ietf-httpbis-compression-dictionary/

I discussed a similar idea on my blog without knowing about all the efforts to standardize it:

https://sethmlarson.dev/http-header-compression#allow-origins-to-manage-their-own-static-table

This is the kind of EV tech I'm rooting for: https://restofworld.org/2024/electric-vehicle-conversions-uruguay/