Notices by yossarian (1.3.6.1.4.1.55738) (yossarian@infosec.exchange)

a good rule of thumb (that i consistently struggle to not violate) is that any system that uses "policy" as a blanket term for delegating complexity to users is one that deserves extreme scrutiny

@inyourbits in the sense of making secure defaults harder; my experience is:

1. a tool/system comes with secure defaults
2. a user/demo needs a set of exceptions that are contextually reasonable/acceptable
3. the tool/system grows the ability to set "policies," and declaring a custom policy implicitly overrides *all* secure defaults instead of just the ones explicitly overridden

don't talk to me or my son ever again

i'll be speaking at FOSDEM in the Security Devroom about zizmor and GitHub Actions security!

details here:

https://fosdem.org/2025/schedule/event/fosdem-2025-6543-hunting-for-github-actions-bugs-with-zizmor/

#fosdem #fosdem2025

hi all, i'm doing another round of donations this year.

i'll match up to $2000 total and my company will match up to another $2000, so matching me will get your donation tripled.

here are some of the organizations i'm supporting:

* Anera: https://www.anera.org/ -- food and relief in Palestine, Lebanon, and Jordan
* HIAS: https://hias.org/ -- resettlement and support for immigrants around the word
* ProPublica: https://www.propublica.org/ -- investigative journalism in the public interest
* Python Software Foundation: https://www.python.org/psf-landing/ -- financially hosts and supports the development of Python

send me your donation receipt, and i'll send you a matching one (public or private, your choice!)

and as a counterpart: how many apps fail this test, presumably because their developers drive to work

i think it's pretty interesting how "can a smartphone app handle 30s of internet connectivity, followed by 30s of non-connectivity, followed by 10s of connectivity" is still in 2024 a very strong proxy for "has the developer ever ridden the NYC subway"

TIL: Some surprising code execution sources in bash

https://yossarian.net/til/post/some-surprising-code-execution-sources-in-bash

#til #shell #security

i'm really excited to share the work my team at @trailofbits has been doing for the last year: Sigstore-based attestations are now live and generally available on PyPI!

if you're already using Trusted Publishing with the canonical pypi-publish action, you don't need to change anything: the action will generate and upload an attestation on your behalf.

we've written a blog post on some of the technical details behind PyPI's attestation features, including Sigstore and PEP 740, here: https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/

#python #pypi #security #sigstore