Wrote and published an article about low-quality and LLM-hallucinated security reports that appear to be getting more frequent for open source projects like Python and curl. The article was covered extensively, being quoted in The Register and Fortune.
The PyPI package "Ultralytics" which has a medium-sized userbase was compromised through a supply-chain attack on its GitHub Actions infrastructure using cache-poisoning. Published analysis through the PyPI blog, this analysis spurred projects to adopt Zizmor among other advice to secure workflows. Worked on the analysis of this attack with William Woodruff.
Debian has a new experimental packaging of Cosign to be used to verify Sigstore verification materials. I gave this package a spin and was able to verify the Sigstore materials for CPython. I also linked up the Debian developer responsible for this new package to the developers of Sigstore to talk about the long-term packaging of Cosign.
- Authored the preliminary proposal to the NSF Safety, Security, and Privacy of Open-Source Ecosystems (Safe-OSE).
- Handled all security reports to PSRT during December.
- Submitted to the PyCon US request for proposals.
- Reviewed the addition of Zizmor to CPython GitHub Actions.