I’m not aware of a perfect1 term for this, so I’m making one up: the Makefile effect2. The Makefile effect resembles other phenomena, like cargo culting, normalization of deviance, “write-only language,” &c. I’ll argue in this post that it’s a little different from each of these, insofar as it’s not inherently ineffective or bad and concerns the...
TL;DR: zizmor would have caught the vulnerability that caused this…mostly. Read on for details.
Standard disclaimer: These are my personal opinions, not the opinions of my employer, PyPI, or any open source I projects I participate in (either for funsies or because I’m paid to). In particular, nothing I write below can be interpreted to imply (or imply the negation of) similar opinions by any of the above, except where explicitly stated.
This is an announcement for zizmor, a new tool for finding security issues in GitHub Actions setups. You can run it on one or more workflow definitions1, and it’ll emit cargo-style diagnostics, SARIF, or JSON as you please. Support for custom actions (e.g. action.yml within actions/checkout or similar) is planned, but not implemented yet. ↩
Another Rust crate announcement: this time I’m announcing yamlpath, a small library for format-preserving YAML feature extraction.
TL;DR: You can use Pydantic’s support for tagged unions to approximate sum types in Python; go right to Sum types in Python (and onwards) to see how it’s done.
This short(-ish) post is a successor to 2022’s a most vexing parse, but for Python packaging. I discovered it the other day while doing it what I normally do: mucking through the guts of Python packaging.
About 15 months ago, I posted a rant about misaligned incentives in the vulnerability triage and classification ecosystem1, with particular attention given to low-impact, high-noise categories like ReDoS. …and nascent for-profit industry. ↩
Another announcement-type post, this time for a data-modeling crate for GitHub Actions: github-actions-models. Docs here.
This is a short announcement post for the 5.x series of ff2mpv.
From the “blog post ideas for when I have no other ideas” file.
Yet another announcement-type post, this time for a small Rust library I hacked up while trying to deduplicate some boilerplate in another project: upgrayedd.
I love GitHub Actions: I’ve been a daily user of it since 2019 for both professional and hobbyist projects, and have found it invaluable to both my overall productivity and peace of mind. I’m just old enough to have used Travis CI et al. professionally before moving to GitHub Actions, and I do not look back with joy1. In a large part because, at...