Patrick Linnane

@[email protected]
63 Followers
27 Following
16 Posts
I maintain the Homebrew package manager and work in security operations
Pronounshe/they
GitHubhttps://github.com/p-linnane
Patrick LinnaneFeb 3, 2025
HomebrewFeb 3, 2025
Homebrew’s signing key for git commits will be changing from GPG to SSH. Please see the following blog post from @yossarian with more details: https://brew.sh/2025/02/03/Homebrew-git-signing/
Homebrew’s new git signing key

Over the next few days, Homebrew’s repositories will begin to transition from PGP-based signing to SSH-based signing for @BrewTestBot commits.

Homebrew
Patrick LinnaneNov 15, 2024
🇺🇦 Sviatoslav SydorenkoNov 14, 2024

Thanks to the efforts of @yossarian, @di, Facundo Tuesca and yours truly, we have PEP 740 attestations available on PyPI.

If you use modern pypi-publish with trusted publishing, your dists are signed automatically by default.

https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/

#Python #Packaging #sigstore

PyPI now supports digital attestations - The Python Package Index Blog

Announcing support for PEP 740 on the Python Package Index

Patrick LinnaneNov 15, 2024
Seth LarsonNov 14, 2024

It's frustrating that every announcement for a new security feature that includes the word "GitHub" immediately gets swarmed by comments and conspiracy theories about GitHub.

I'm an anti-monopolist and want there to be a multitude of ways we build open source software, but I believe security features are different: mostly because they are either enabled by default or largely ignored.

GitHub is important to support because it's where 84% (372,841 / 440,821) of Python packages on PyPI are built.

Patrick LinnaneNov 15, 2024
Soatok DreamseekerNov 15, 2024

A while ago, I announced that I was going to build #E2EE for the Fediverse, so that we might have private direct messaging.

Then I stumbled over the lack of available tooling for Key Transparency in a federated environment. So I started working on a specification for a Public Key Directory server.

I'm happy to announce that I finally have all my ideas on paper.

https://github.com/fedi-e2ee/public-key-directory-specification/tree/main

This specification is not complete. It still needs:

  • Additional rounds of copy-editing, to ensure terms are consistent and easily understood.
  • Peer review, especially from cryptography experts.
  • A reference implementation.
  • Machine-verifiable security proofs of the security of the protocols described.
  • More peer review.
  • Third-party testing of the reference implementation.
  • Other people's ideas.

    • That last one is optional, but if anyone identifies an opportunity to make this project more successful, I'd love to hear it.

    GitHub - fedi-e2ee/public-key-directory-specification: Specification for a Fediverse Directory Server for Public Keys

    Specification for a Fediverse Directory Server for Public Keys - fedi-e2ee/public-key-directory-specification

    GitHub
    Patrick LinnaneOct 30, 2024
    The @homebrew booth at GitHub Universe 24 is ready! Swing by and grab some stickers and say hello!
    Patrick LinnaneOct 3, 2024

    Do you use @homebrew? Are you attending GitHub Universe 2024? @mikemcquaid and I will be there representing Homebrew at the Open Source Zone! Come say hi and grab a sticker!

    You can read more on the GitHub Blog: https://github.blog/open-source/10-projects-in-the-open-source-zone-at-github-universe-2024/#homebrew-the-essential-package-manager-for-macos-and-linux

    Leading the way: 10 projects in the Open Source Zone at GitHub Universe 2024

    Let’s take a closer look at some of the stars of the Open Source Zone at GitHub Universe 2024 🔎

    The GitHub Blog
    Patrick LinnaneAug 9, 2024
    @davidbures The PR is merged, and cork is now available. I haven't seen any problems with `brew bundle dump` lately, but feel free to open an issue and we can take a look: https://github.com/Homebrew/homebrew-bundle
    GitHub - Homebrew/homebrew-bundle: 📦 Bundler for non-Ruby dependencies from Homebrew, Homebrew Cask and the Mac App Store.

    📦 Bundler for non-Ruby dependencies from Homebrew, Homebrew Cask and the Mac App Store. - Homebrew/homebrew-bundle

    GitHub
    Show threadPatrick LinnaneAug 9, 2024
    @edbro Just to clarify, Open Tech Fund generously sponsored the audit for us.
    Patrick LinnaneAug 8, 2024
    @davidbures Happy to work with you on this. One of your users has opened a PR to add Cork to our main cask repo: https://github.com/Homebrew/homebrew-cask/pull/181945
    cork 1.4.4.2 (new cask) by AlternateRT · Pull Request #181945 · Homebrew/homebrew-cask

    Important: Do not tick a checkbox if you haven’t performed its action. Honesty is indispensable for a smooth review process. In the following questions <cask> is the token of the cask you&#39...

    GitHub
    Patrick LinnaneJul 30, 2024
    yossarian (1.3.6.1.4.1.55738)Jul 30, 2024

    i'm really happy this is finally public: we at @trailofbits did an audit of @homebrew last summer: https://blog.trailofbits.com/2024/07/30/our-audit-of-homebrew/

    you can read our full report here: https://github.com/trailofbits/publications/blob/master/reviews/2023-08-28-homebrew-securityreview.pdf

    Our audit of Homebrew

    By William Woodruff This is a joint post with the Homebrew maintainers; read their announcement here! Last summer, we performed an audit of Homebrew. Our audit’s scope included Homebrew/brew itself…

    Trail of Bits Blog