Notices by Seth Larson (sethmlarson@fosstodon.org), page 3

Jay Miller (@kjaymiller) was on the Real Python podcast talking about starting international organizations and working with a non-profit. As always from Jay, a must-listen:

https://fosstodon.org/@realpython/112931985985137144

Hey maintainers! 👋 Tidelift has opened their annual survey for ✨ all open source maintainers ✨ (not just existing lifters!)

This isn't “just another survey”, the results inform Tidelift's roadmap for how to best get more money into maintainers hands and show that investing in open source dependencies means projects are better supported and more secure.

The survey takes around 5-10 minutes end-to-end to complete.

https://tidelift.az1.qualtrics.com/jfe/form/SV_8cfOxXluZDsXrrE

@webology Pinned dependencies is one of the metrics I'd consider to be actually helpful, usually trips on GitHub Workflows and pip commands not being pinned commits/hashes which for release workflows should be pinned. Test/quality workflows though probably are okay to be unpinned, hard to differentiate though.

"CII Best Practices" is a checklist of things that can never be automated, so yeah I don't love that metric.

urllib3, #Python's most-used HTTP client library, is fundraising to add HTTP/2 support and ensure long-term sustainability of the project.

Retoots and shares are appreciated 🙏

https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support

There was already suspicion that LLMs generated a large batch of bogus CVEs not long ago. I suspect that CVE-2023-38898 which targeted #Python and wasn't reported to the Python Security Response Team was a part of that batch.

Now curl gets explicit proof that "security researchers" are submitting reports direct from an LLM without any double-checking. As if handling vulnerabilities wasn't hard enough for #OpenSource maintainers! 😡

https://hackerone.com/reports/2199174