Patrick Linnane

@[email protected]
63 Followers
27 Following
16 Posts
I maintain the Homebrew package manager and work in security operations
Pronounshe/they
GitHubhttps://github.com/p-linnane
Patrick LinnaneFeb 3, 2025
HomebrewFeb 3, 2025
Homebrew’s signing key for git commits will be changing from GPG to SSH. Please see the following blog post from @yossarian with more details: https://brew.sh/2025/02/03/Homebrew-git-signing/
Homebrew’s new git signing key

Over the next few days, Homebrew’s repositories will begin to transition from PGP-based signing to SSH-based signing for @BrewTestBot commits.

Homebrew
Patrick LinnaneNov 15, 2024
🇺🇦 Sviatoslav SydorenkoNov 14, 2024

Thanks to the efforts of @yossarian, @di, Facundo Tuesca and yours truly, we have PEP 740 attestations available on PyPI.

If you use modern pypi-publish with trusted publishing, your dists are signed automatically by default.

https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/

#Python #Packaging #sigstore

PyPI now supports digital attestations - The Python Package Index Blog

Announcing support for PEP 740 on the Python Package Index

Patrick LinnaneNov 15, 2024
Seth LarsonNov 14, 2024

It's frustrating that every announcement for a new security feature that includes the word "GitHub" immediately gets swarmed by comments and conspiracy theories about GitHub.

I'm an anti-monopolist and want there to be a multitude of ways we build open source software, but I believe security features are different: mostly because they are either enabled by default or largely ignored.

GitHub is important to support because it's where 84% (372,841 / 440,821) of Python packages on PyPI are built.

Patrick LinnaneNov 15, 2024
Soatok DreamseekerNov 15, 2024

A while ago, I announced that I was going to build #E2EE for the Fediverse, so that we might have private direct messaging.

Then I stumbled over the lack of available tooling for Key Transparency in a federated environment. So I started working on a specification for a Public Key Directory server.

I'm happy to announce that I finally have all my ideas on paper.

https://github.com/fedi-e2ee/public-key-directory-specification/tree/main

This specification is not complete. It still needs:

  • Additional rounds of copy-editing, to ensure terms are consistent and easily understood.
  • Peer review, especially from cryptography experts.
  • A reference implementation.
  • Machine-verifiable security proofs of the security of the protocols described.
  • More peer review.
  • Third-party testing of the reference implementation.
  • Other people's ideas.

    • That last one is optional, but if anyone identifies an opportunity to make this project more successful, I'd love to hear it.

    GitHub - fedi-e2ee/public-key-directory-specification: Specification for a Fediverse Directory Server for Public Keys

    Specification for a Fediverse Directory Server for Public Keys - fedi-e2ee/public-key-directory-specification

    GitHub
    Patrick LinnaneOct 30, 2024
    The @homebrew booth at GitHub Universe 24 is ready! Swing by and grab some stickers and say hello!
    Patrick LinnaneOct 3, 2024

    Do you use @homebrew? Are you attending GitHub Universe 2024? @mikemcquaid and I will be there representing Homebrew at the Open Source Zone! Come say hi and grab a sticker!

    You can read more on the GitHub Blog: https://github.blog/open-source/10-projects-in-the-open-source-zone-at-github-universe-2024/#homebrew-the-essential-package-manager-for-macos-and-linux

    Leading the way: 10 projects in the Open Source Zone at GitHub Universe 2024

    Let’s take a closer look at some of the stars of the Open Source Zone at GitHub Universe 2024 🔎

    The GitHub Blog
    Patrick LinnaneJul 30, 2024
    yossarian (1.3.6.1.4.1.55738)Jul 30, 2024

    i'm really happy this is finally public: we at @trailofbits did an audit of @homebrew last summer: https://blog.trailofbits.com/2024/07/30/our-audit-of-homebrew/

    you can read our full report here: https://github.com/trailofbits/publications/blob/master/reviews/2023-08-28-homebrew-securityreview.pdf

    Our audit of Homebrew

    By William Woodruff This is a joint post with the Homebrew maintainers; read their announcement here! Last summer, we performed an audit of Homebrew. Our audit’s scope included Homebrew/brew itself…

    Trail of Bits Blog
    Patrick LinnaneJul 30, 2024
    An audit of @homebrew was performed by the wonderful @trailofbits. Here’s my write up: https://brew.sh/2024/07/30/homebrew-security-audit/
    2023 Security Audit

    Homebrew had a security audit performed in 2023. This audit was funded by the Open Technology Fund and conducted by Trail of Bits. Trail of Bits’ report contained 25 items, of which 16 were fixed, 3 are in progress, and 6 are acknowledged by Homebrew’s maintainers. Below is the scope of testing, findings by severity, and mitigation and acknowledgements.

    Homebrew
    Patrick LinnaneJul 30, 2024
    Trail of BitsJul 30, 2024
    Homebrew, the missing package manager for macOS, produces the binaries that millions of users download daily. Read about our audit of Homebrew’s CI/CD pipeline and brew.
    https://blog.trailofbits.com/2024/07/30/our-audit-of-homebrew/
    Our audit of Homebrew

    By William Woodruff This is a joint post with the Homebrew maintainers; read their announcement here! Last summer, we performed an audit of Homebrew. Our audit’s scope included Homebrew/brew itself…

    Trail of Bits Blog
    Patrick LinnaneJul 27, 2024
    Mail day courtesy of @1dark1 & @Stickerum! Great quality and the bonus NSA stickers were a nice surprise. Grab yourself some cool stickers from https://stickerthepla.net!
    Sticker the Planet.

    Sticker the Planet is a sticker store for hackers.