Been a minute since I've dug into an RFC, was starting to miss it! 😄

Thanks to Microsoft for supporting its #opensource dependencies like urllib3! 🙏

sethmlarson.dev/thanks-to-micr…

PyPI now has three new Trusted Publishing, thanks (in part) to our work at Trail of Bits! This realizes our goal of expanding Trusted Publishing to compute environments outside of GitHub Actions:

blog.pypi.org/posts/2024-04-…

Starting today, PyPI package maintainers can publish via Trusted Publishing from three additional providers:

- 🦊 GitLab
- Google Cloud
- ActiveState

They join GitHub Actions to support publishing without long-lived passwords or API tokens.

blog.pypi.org/posts/2024-04-…

🎉 ActiveState is pleased to announce our inclusion as a Trusted Publisher to PyPI, enabling Python authors to securely publish Python packages directly via ActiveState’s Platform.

Become a trusted author today: ow.ly/Z34i50RikiO

#ActiveState #TrustedPublisher #PyPI

I'm attending #OSSummit , reach out to me if you want to chat about #security of #Python or #PyPI 👋

An update on the #Python release process, #SBOM , and some thoughts on #xz after talking about it with lots of folks.

sethmlarson.dev/security-devel…

Apple explicitly acknowledges and allows emulators on the appstore, worldwide 🙌

Absolutely massive W

The xz fiasco has shown how a dependence on unpaid volunteers can cause major problems. Trillion dollar corporations expect free and urgent support from volunteers.

Microsoft MicrosoftTeams posted on a bug tracker full of volunteers that their issue is 'high priority'

The PSF is pleased to announce our participation in a new Open Initiative for #Cybersecurity Standards with Apache - The ASF and Eclipse Foundation to establish common specifications for secure #opensource development based on open source best practices #python
pyfound.blogspot.com/2024/04/new-op…

Sustainability is a security issue. Consumers only have demands for a burnt out maintainer and the only help that arrives has long-term malicious intentions.

robmensching.com/blog/posts/202…

Worth a read. OSS maintainers have been raising alarms about a general lack of support (from their employers, communities, and users) for years.

Burnout is a security risk.

While I was away my article on unexpected behavior of '$' in regular expressions hit #1 on Hacker News (and I only discovered this fact by receiving hate mail).

If you missed it and use '$' in Python regular expressions you might be interested:

sethmlarson.dev/regex-%24-matc…

Back from vacation! 👋 I covered the CISA OSS Security Summit, Google Summer of Code 2024, SOSS Community Day NA in this weekly report:

sethmlarson.dev/security-devel…

I learned about some platform-specific regex behavior of the '$' character:

sethmlarson.dev/regex-%24-matc…

From the New Yorker Profile of President Biden

newyorker.com/magazine/2024/…