You shouldn’t trust Trusted Publishing
https://blog.yossarian.net/2026/07/07/You-shouldnt-trust-trusted-publishing
You shouldn’t trust Trusted Publishing
https://blog.yossarian.net/2026/07/07/You-shouldnt-trust-trusted-publishing
(this is true regardless of the consumer. LLMs don't have mental states but you can still waste your money and sanity watching them chase down false leads.)
i think people grossly underestimate the importance/value of psychological safety in tool/systems design.
the single biggest contributor to whether I feel like I'm interacting with a janky system is when there are multiple conflicting sources of truth/"correct" solutions and no obvious decision procedure for selecting among them.
intuition check: what would you expect this Rust snippet to print?
```
use itertools::Itertools;
fn main() {
let p = std::path::Path::new("/a/b/c");
let s = p.components().map(|c| c.as_os_str().to_string_lossy()).join("/");
println!("s={s:?}");
}
```
OpenAI handed us their most cyber-capable models and asked us to work directly with open-source maintainers to Patch the Planet.
We started with 19 projects: cURL, Python, Sigstore, NATS, and more. 50 projects have now joined the initiative. Each get a dedicated team reviewing code, finding vulnerabilities, and writing patches.
More in their blog: https://openai.com/index/patch-the-planet/
TIL: Some surprising numeric conversions in Python
https://yossarian.net/til/post/some-surprising-numeric-conversions-in-python
I think it would be cool if slop projects had a DONTREADME file
ask not for whom the BEL tolls; it tolls for thee
(this seems like a cool feature, but I'm also completely confused by _how_ it works given how much load-bearing code there is around actions ordering/initialization and the order in which pre/post-triggers for actions fire.)
GitHub just shipped parallel step support in GHA, which means I get to combine my two favorite things about computing: CI/CD security and race conditions
after reviewing vuln reports for hours, it’s actually such a breath of fresh air to get a classic “your DNS records are misconfigured, 10/10 severity please fix immediately and also pay me.” really takes you back
Join Seth Michael Larson (@sethmlarson) at EuroPython for "Learning from the not-so-secret Python security "cabal"" talk: https://ep2026.europython.eu/9JALSN
Get your ticket: https://europython.eu/tickets/
Great coverage from @lwn of the PSF PyPI Safety & Security Engineer @miketheman's talk on Trusted Publishing at Open Source Summit. 36% of @pypi uploads now use Trusted Publishing. Is yours one of them?
I learned recently about zizmor which audits your GH Actions.
TIL there is a GH-Action for it but it updates the GH Security Section with findings! 🤔
https://github.com/zizmorcore/zizmor-action#usage-with-github-advanced-security-recommended
TIL: Python has a standard ChainMap API
https://yossarian.net/til/post/python-has-a-standard-chainmap-api/