Lightnews — Scholar-powered news

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · 3d

TIL: Safari has built-in WebDriver support

yossarian.net/til/post/saf...

TIL: Safari has built-in WebDriver support

yossarian.net

1

Reposted by William Woodruff (1.3.6.1.4.1.55738)

reaperhulk.bsky.social @reaperhulk.bsky.social · 14d

All the world's developers are a toddler and X.509 is the neighbor's unfenced pool.

9 33

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · 16d

Dear GitHub: no YAML anchors, please
https://blog.yossarian.net/2025/09/22/dear-github-no-yaml-anchors
#programming #rant

1 2 7

Reposted by William Woodruff (1.3.6.1.4.1.55738)

Mike McQuaid @mikemcquaid.com · 19d

Having met with both sides on the current RubyCentral/RubyGems situation, here's my take:

- RubyCentral have managed this exceptionally poorly in many ways including removing literally the most active member of the RubyGems organisation by mistake who has declined to return

2 43 130

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · 23d

maslow’s hierarchy of needs? yeah, I think I’ve heard of that somewhere before

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · 25d

One year of zizmor
https://blog.yossarian.net/2025/09/14/one-year-of-zizmor
#devblog #programming #rust #zizmor

2 6

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · 28d

finally learned what a "labubu" is from my local bodega. very helpful

2

Reposted by William Woodruff (1.3.6.1.4.1.55738)

🟡🐍Sviatoslove.pie♥🇺🇦#StandWithUkraine🙏 | українець на чужині @webknjaz.me · Sep 4

Just cut a new release of `pypi-publish` v1.13.0!

It's got internal runtime update, housekeeping, also diagnostic messages and security improvements from @yossarian.net!

github.com/pypa/gh-acti... / github.com/pypa/gh-acti...

#python #Packaging

Release v1.13.0 · pypa/gh-action-pypi-publish

Take the 2025 Python Packaging Survey if you still haven't! Important🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @woodruffw💰. We've also integrated Zizmor to catch similar i...

github.com

3 4

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Aug 23

i went on tom, deirdre, and david's podcast and talked about PGP and encrypted email:

securitycryptographywhatever.com/2025/08/22/s...

Stop Using Encrypted Email with William Woodruff

There was a bug in an OpenPGP library which finally gave us an excuse to tear encrypted email via PGP to shreds. Our special guest William Woodruff joined us...

securitycryptographywhatever.com

6

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Aug 18

I didn’t know that! This is like trying ketchup chips in Canada and realizing I couldn’t get them in the US

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Aug 17

grape nuts is the only good cereal

3 1

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Aug 14

PyPI now serves PEP 792 project statuses in its APIs. that means you can now programmatically check if a package is archived, quarantined, etc.!

blog.pypi.org/posts/2025-0...

PyPI now serves project status markers in API responses - The Python Package Index Blog

PyPI has implemented PEP 792, and is now serving project status markers in its standard HTML and JSON APIs.

blog.pypi.org

6 17

Reposted by William Woodruff (1.3.6.1.4.1.55738)

Filippo Valsorda @filippo.abyssdomain.expert · Aug 12

The Go 1.25 change I am most excited about is the new synctest package.

How I think about it is as a way to deflake tests by simulating an infinitely fast processor (because time doesn’t move until all work is done), and then shorten them by compressing time (because time jumps once it moves).

Go @golang.org · Aug 12

🎊 Go 1.25.0 is released!

📝 Release notes: https://go.dev/doc/go1.25

⬇️ Download: https://go.dev/dl/#go1.25.0

#golang

$ go install golang.org/dl/go1.25.0@latest
$ go1.25.0 download
Downloaded 0.0% ( 0 / 58130695 bytes) ...
Downloaded 50.0% (29065347 / 58130695 bytes) ...
Downloaded 100.0% (58130695 / 58130695 bytes)
Unpacking go1.25.0.freebsd-arm.tar.gz ...
Success. You may now run 'go1.25.0'
$ go1.25.0 version
go version go1.25.0 freebsd/arm

2 13 79

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Aug 14

Fun with finite state transducers
https://blog.yossarian.net/2025/08/14/Fun-with-finite-state-transducers
#devblog #programming #rust #zizmor

Reposted by William Woodruff (1.3.6.1.4.1.55738)

Charlie Marsh @crmarsh.com · Aug 13

Today, we're announcing our first hosted infrastructure product: pyx, a Python-native package registry.

We think of pyx as an optimized backend for uv: it’s a package registry, but it also solves problems that go beyond the scope of a traditional "package registry".

4 38 170

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Aug 13

zizmor v1.12.0 is released!

this release comes with one new audit (unsound-condition), support for auto-fixing three more finding classes, plus much more in the way of general enhancements and bug fixes.

full details here:

docs.zizmor.sh/release-note...

Release Notes - zizmor

Abbreviated change notes about each zizmor release.

docs.zizmor.sh

3 7

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Jun 30

zizmor v1.11.0 is out! this release comes with experimental LSP support and an accompanying vscode extension:

marketplace.visualstudio.com/items?itemNa...

full release notes here: docs.zizmor.sh/release-note...

2 3

Reposted by William Woodruff (1.3.6.1.4.1.55738)

Joe McManus @joemcmanus.bsky.social · Jun 27

Do you want to find out more about how @grafana.bsky.social secures its GitHub actions using Zizmor? Check out this post from James on my team : grafana.com/blog/2025/06... @yossarian.net

How to detect vulnerable GitHub Actions at scale with Zizmor | Grafana Labs

In order to harden our infrastructure and pipelines, we have introduced the open source tool Zizmor into our CI/CD pipelines.

grafana.com

4 2

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Jun 26

thanks a ton in particular to @mosi.bsky.social from @grafana.bsky.social for his hard work on the auto-fix feature!

1 2

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Jun 26

zizmor v1.10.0 is released!

this is a *huge* new release: it exposes a new (experimental) auto-fix mode, more precise subspanning for fixtures, as well as a brand new pedantic audit (anonymous-definition)

read the full notes here: docs.zizmor.sh/release-note...

Release Notes - zizmor

Abbreviated change notes about each zizmor release.

docs.zizmor.sh

1 4 6

Reposted by William Woodruff (1.3.6.1.4.1.55738)

Filippo Valsorda @filippo.abyssdomain.expert · Jun 18

"Tuscolo2025h2, Tuscolo2026h1, and Tuscolo2026h2 have passed their compliance monitoring period and will be added to an upcoming version of Chrome." issues.chromium.org/issues/41669...

The Geomys Certificate Transparency logs are on their way to become the first trusted Static CT API logs! 🎉

1 4 29

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Jun 18

thank you @grafana.bsky.social for being a logo-level sponsor of zizmor!

(and also thank you @mosi.bsky.social and other folks at Grafana who've been sending me patches -- the next few releases are going to have a lot of really great new features)

1 2 14

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Jun 17

A new adventure
https://blog.yossarian.net/2025/06/17/a-new-adventure
#lifestyle

5 1 17

Reposted by William Woodruff (1.3.6.1.4.1.55738)

Thomas Ptacek @sockpuppet.org · Jun 10

This is a piece I wrote with the Latacora team back in 2020 that came up today in light of the (yikes) OpenPGP.js bug. It's the best security advice I've given, and it includes a section that was lost in the migration from micro.blog.

Stop using encrypted email.

www.latacora.com/blog/2020/02...

Stop Using Encrypted Email

www.latacora.com

3 18 37

William Woodruff (1.3.6.1.4.1.55738) @yossarian.net · Jun 11

Bypassing GitHub Actions policies in the dumbest way possible
https://blog.yossarian.net/2025/06/11/github-actions-policies-dumb-bypass
#security

1 5 6