William Woodruff (1.3.6.1.4.1.55738)
skeeting in accordance with the universal law.
yossarian.net / blog.yossarian.net
- Some flexibility with Go’s sumdb blog.yossarian.net/2025/12/29/Some-fle… #security #go #cryptography
- Reposted by William Woodruff (1.3.6.1.4.1.55738)At the gpg.fail talk and omg #39c3 You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message. Won’t even blame PGP here. C is unsafe at any speed. gpg has not fixed it yet.
- TIL: serde's borrowing can be treacherous yossarian.net/til/post/ser...
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- TIL: Safari has built-in WebDriver support yossarian.net/til/post/saf...
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- maslow’s hierarchy of needs? yeah, I think I’ve heard of that somewhere before
- finally learned what a "labubu" is from my local bodega. very helpful
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- i went on tom, deirdre, and david's podcast and talked about PGP and encrypted email: securitycryptographywhatever.com/2025/08/22/s...
- grape nuts is the only good cereal
- PyPI now serves PEP 792 project statuses in its APIs. that means you can now programmatically check if a package is archived, quarantined, etc.! blog.pypi.org/posts/2025-0...
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- Fun with finite state transducers blog.yossarian.net/2025/08/14/Fun-with… #devblog #programming #rust #zizmor
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- zizmor v1.12.0 is released! this release comes with one new audit (unsound-condition), support for auto-fixing three more finding classes, plus much more in the way of general enhancements and bug fixes. full details here: docs.zizmor.sh/release-note...
- zizmor v1.11.0 is out! this release comes with experimental LSP support and an accompanying vscode extension: marketplace.visualstudio.com/items?itemNa... full release notes here: docs.zizmor.sh/release-note...
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- zizmor v1.10.0 is released! this is a *huge* new release: it exposes a new (experimental) auto-fix mode, more precise subspanning for fixtures, as well as a brand new pedantic audit (anonymous-definition) read the full notes here: docs.zizmor.sh/release-note...
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- thank you @grafana.bsky.social for being a logo-level sponsor of zizmor! (and also thank you @mosi.bsky.social and other folks at Grafana who've been sending me patches -- the next few releases are going to have a lot of really great new features)
- A new adventure blog.yossarian.net/2025/06/17/a-new-ad… #lifestyle
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- Bypassing GitHub Actions policies in the dumbest way possible blog.yossarian.net/2025/06/11/github-a… #security
- pronouncing knicks like knish
- i did an interview with Once a Maintainer about open source and supply chain security! onceamaintainer.substack.com/p/once-a-mai...
- zizmor v1.8.0 is out! besides changes to the official website and org: * you can now use `ZIZMOR_CONFIG` to pass a config file, as an alternative to `--config` * index-style contexts no longer cause false positives in the `template-injection` audit read more here: docs.zizmor.sh/release-note...
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- A Discord server and new GitHub organization for zizmor blog.yossarian.net/2025/05/07/zizmor-d… #security #oss #devblog #programming #rust #zizmor
- my colleague @darkamaul.bsky.social has a new blog post on the @trailofbits.bsky.social blog about how we worked with @pypi.org's maintainers to slash test times on PyPI by over 80%: blog.trailofbits.com/2025/05/01/m...
- i've released zizmor v1.6.0, with one new audit (forbidden-uses), one rewritten audit (unpinned-uses), a new output mode, and a whole bunch of bugfixes! read the full release notes here: woodruffw.github.io/zizmor/relea...
- i'm very excited about this new work my team at @trailofbits is doing: we're building an ASN.1 API for PyCA Cryptography, giving users direct access to the same memory-safe, high-performance DER parser that Cryptography already uses for X.509: blog.trailofbits.com/2025/04/18/s...
- TIL Any program can be a GitHub Actions shell yossarian.net/til/post/any...
- hope this helps
- it seems very weird to me that LSP is/was advertised as a solution to the NxM matrix problem in IDEs, but to use an LSP server in vscode you still need to write a custom extension ("LSP client") that only talks to your particular LSP server (other editors/IDEs seem to get this right, e.g. vim-lsp)
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- you can now archive projects on @pypi.org! this work was done by my teammate Facundo @trailofbits.bsky.social and is part of a larger multi-year arc of work dedicated to landing security and usability improvements on PyPI: blog.trailofbits.com/2025/01/30/p...
- zizmor v1.2.0 is released! this release brings a new audit (bot-conditions), which can detect spoofable `github.actor` checks. it also brings bugfixes/accuracy improvements across the board! many thanks to astral.sh for being our first logo sponsor! notes here: woodruffw.github.io/zizmor/relea...
- Be aware of the Makefile effect blog.yossarian.net/2025/01/10/Be-aware… #programming
- i'll be speaking at FOSDEM in the Security Devroom about zizmor and GitHub Actions security! details here: fosdem.org/2025/schedul... #fosdem #fosdem2025
- Reposted by William Woodruff (1.3.6.1.4.1.55738)[Not loaded yet]
- thank you to everyone who matched me, and especially to @filippo.abyssdomain.expert! together we raised just over $9830 USD for Anera, HIAS, ProPublica, and the PSF!
- 1735 * 5 = $8675 has been matched so far, leaving 265 * 5 = $1325! be one of the last few people to match me and @filippo.abyssdomain.expert! bsky.app/profile/yoss...
