🚨 Critical Composer Update: 2.9.8 & 2.2.28 fix a GitHub Actions token disclosure!

⚠️ Update NOW or disable GitHub Actions immediately!

https://blog.packagist.com/composer-2-9-8-and-2-2-28-fix-github-actions-token-disclosure-in-error-messages/

#PHP #Composer #ComposerPHP #OpenSource #WebDevelopment #GitHubActions #DevSecOps #CyberSecurity #SoftwareUpdate #PatchRelease #DependencyManagement #SecurityFix #Programming #Packagist #PHPDev #ComposerUpdate #OpenSourceSoftware #WebDevLife #InfoSec #SecurityPatch #CodeSmart #DependencyManagement #SoftwareSecurity #TechUpdate

Editorial Opportunity at the Journal of Open Source Software

The Journal of Open Source Software – known to its friends as JOSS – is is a developer friendly, diamond open access journal for research software packages which has been running since 2016 and is enormously successful, publishing Open Source software across many fields of science. Its UR, joss.theoj.org, is a giveaway that it is a stablemate of astro.theoj.org, aka the Open Journal of Astrophysics.

The driving force behind JOSS, responsible for getting it off the ground at the very beginning, is Arfon Smith whom I’ve known since Nottingham days and it iis fair to say that without his considerable help, OJAp would never have started. Both journals started off as speculative ventures, and OJAp has taken a considerable time to establish itself, but JOSS took off very quickly indeed and has now published over 3,500 papers. There are numerous differences between the two journals but, like OJAp, all publications in JOSS are free to authors and readers.

Arfon has held the role of Editor-in-Chief at JOSS since 2016 but in a recent blog post he explains that he is stepping down from his role as Editor-in-Chief, although he will remain at JOSS. The call for a replacement is here. It’s an opportunity that will appeal to anyone interested in open-source research software and open-access publishing so if that’s you then please consider applying. It will be a substantial investment of time, probably about a day a week. I quote:

Candidates should have the capacity to commit the time this role requires. For those in institutional positions, we ask for a brief letter or statement from your employer or supervisor confirming support for this commitment. Independent researchers, consultants, or others without a traditional institutional affiliation should include a brief statement describing how they plan to allocate the time.

P.S. Today OJAp published its 100th paper of 2026 so far…

P.P.S. I’ll be stepping down as Editor-in-Chief at OJAp in a couple of years, when I retire, and we’ll be doing a similar search nearer the date.

Mee-thos? Meye-thos? Mi-thos?

A month in, I still couldn't tell you.

The loudest opinions on AI vulnerability research almost never come from the people actually using it or contributing to making the world more secure.

Since Anthropic shipped Mythos and OpenAI Codex Cyber, my feed has been wall-to-wall thought leadership. Sage wisdom. Whitepapers. Panels. Frameworks for "AI-augmented vulnerability discovery." Panels about the frameworks. And one framework about panels

Meanwhile, the engineers I know, the ones helping secure the internet, have gone quiet. There's usually a reason for that.

The actual work is unglamorous. You read code. You read more code. You look upstream at the open source the whole world depends on. You find things. You report them carefully. You wait. And hopefully you've made the world a little more secure.

That's what our team at LinkedIn has been doing, inside our own stack and across the dependencies we all share. I'll share more when I can.

One thing I won't wait to say:

To the open source maintainers who've fielded our reports, triaged with patience, and shipped fixes through what has genuinely been an unprecedented stretch, thank you. I owe you many coffees/beers/waters. Much love.

Wu-Tang said it in '93: protect ya neck. You've been doing it for the rest of us ever since. No royalties, no panels, no merch.

Just the work.

Back to research and helping fix upstream.

#opensourcesoftware #cybersecurity

So what's new in the world of digital ham radio? This could be a big deal and might knock proprietary protocols and waveforms on the head. #Mercury #Hermes #opensourcesoftware #vara #packetradio

Good news for Linux ops too!
https://www.ardc.net/wp-content/uploads/Mercury-Press-Release-07-MAY-2026.pdf

Totally gave up on exiftool, I have better things to do than read pages and pages of instructions when I just wanna add copyright info and where the photo was taken.

Found digiKam and it removed all the headaches.

I also saw it has a GPS correlator so not only can I use my Garmin Etrex with it, I also have an actual use beyond "toy bought because I always wanted one but never had a plan of how to use it" for the Etrex.

#photography #photoediting #opensourcesoftware #digikam #KDE #exiftool

Vor oder während großen Umbrüchen sagen Leute gerne furchtbar dumme Sachen.
Deswegen traue ich mich auch mit ein paar Tagen Abstand zur Veröffentlichung von #Mythos nicht eine Prognose über #AI und die Zukunft von #CyberSecurity abzugeben. Was ich mich aber sagen traue sind drei Dinge.

1. AI verschärft die sozioökonomische Schieflage von #OpenSourceSoftware. Während #LLM s auf OpenSource Quellen trainiert werden fließt der wirtschaftliche Nutzen zu großen Tech-Unternehmen und die Maintainer bleiben unterfinanziert zurück.
2. Am #ProjectGlaswing zeigt sich, dass die Tech- und Security Community noch immer keinen gesellschaftlich verantwortlichen Weg gefunden hat Wissen und Ressourcen zum Finden und Beheben von Schwachstellen zu verteilen
3. Zukünftig gilt noch mehr als jetzt die Grundpfeiler von guter CyberSecurity einzuhalten um die Aufwände für (AI gestützte) Angriffe unwirtschaftlich zu machen.

Mein Appell: Unterstützt die OpenSource Projekte die ihr nutzt - angemessen. Investiert in die Effizienz und Stabilisierung eurer Vulnerability- und Patchmanagement Prozesse.

Anyone in the #NoAI / #AntiAI crowd look at Caddy Anti-Bot and have thoughts?

Also what is the best license these days for fighting back on paper for what it’s worth against LLM consumption for creating open source apps on Codeberg? Basically the equivalent of AGPLv3 + no LLM

Caddy Anti-bot looks like it uses more heuristics than Caddy Defender to beat back LLM bots. Relatively new to the point there’s no meaningful web references, not even on the Caddy Community forum.

And how does Caddy Bot Barrier compare to Anubis?

https://github.com/KoDevV2/caddy-anti-bot

https://github.com/steffenbusch/caddy-bot-barrier

#foss #opensource #opensourcesoftware

With #GitHub slowly falling apart, I couldn't be more excited to be working on a better way to host the world's #OpenSourceSoftware:

@radicle - the peer-to-peer GitHub alternative.

I took a minute to write down what I feel is especially exciting about it:
https://yorgos.net.gr/posts/working-on-a-better-home-for-open-source.html

Calibre 9.8 update adds local AI support and practical fixes

https://fed.brid.gy/r/https://nerds.xyz/2026/05/calibre-9-8-update/

📖 Interesting read: "💎 redis-objects 2.0: 17 years, 2k stars, and 16M downloads later"

https://nateware.com/2026/04/23/redis-objects-2-0-17-years-2k-stars-and-16m-downloads-later/
#ruby #opensourcesoftware