Mastodawn

Roger had a very productive weekend.

The number of CVEs GitHub helps open source projects disclose has more than doubled compared to any 30 day period in the past year. Many of these vulnerabilities are being discovered with LLM assistance, and a natural question is "are they slop?" Using the famously uncontroversial CVSS scores, you can see that there are more low severity and high severity scores compared to a year ago. 🤷 It's complicated!

Sources:
- https://cnapulse.org/cna-detail.html?cna=GitHub_M
- https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=2025-01-12&enddate=2025-02-12
- https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=2026-01-12&enddate=2026-02-12

Zach Steindler Feb 2

Kris Freedain 🙏 🏋🏻 🍕Feb 1

Time to learn about 'Designing attestations UI' from my friend @erioldoesdesign at #FOSDEM 😀 https://fosdem.org/2026/schedule/event/HCQRVT-designing_attestations_ui_the_security_and_safety_of_oss_package_supply_chain/
-
https://github.com/ossf/wg-securing-software-repos/tree/main/docs/attestations-style-guide

Zach Steindler Feb 1

Andrew Nesbitt Feb 1

Finished my git-pkgs talk, thanks for having me @fosdem, I had a blast!

See you again next year, fancy another package manager dev room?

Zach Steindler Jan 31

Andrew Nesbitt Jan 31

Zach is now talking about attestations

Zach Steindler Dec 20

Filippo Valsorda Dec 19

Using an age keyserver as a demo, this article demonstrates how to add a transparency log to a centralized service step-by-step.

We use Tessera for the tlog, VRFs for privacy, and the Witness Network. It all takes just 500 lines to integrate!

The result of years of work making tlogs accessible.

https://words.filippo.io/keyserver-tlog/?source=Mastodon

Building a Transparent Keyserver

We apply a transparency log to a centralized keyserver step-by-step, in less than 500 lines, with privacy protections, anti-poisoning, and witness cosigning.

Zach Steindler Dec 10

Are you a senior software engineer in need of a break this holiday season? When someone asks you for feedback, roll a d6 and respond:

6: "what problem are you trying to solve?"
5: "where is this written down?"
4: "is this on the critical path?"
3: "you need to add rate limits"
2: "what features can we remove for the proof-of-concept?"
1: "we tried that 5 years ago and it didn't work"

Zach Steindler Dec 9

OpenSSF Dec 8

🎉 The 2025 OpenSSF Annual Report has officially arrived!!!

We invite you to celebrate another year of progress, creativity, and collaboration shaping a safer, more resilient open source community.

Download the report: https://openssf.org/download-the-2025-openssf-annual-report/

#AnnualReport #OSSSecurity

Zach Steindler Dec 4

Kees Cook Dec 1

When a kernel commit starts with "In A.D. 1582 Pope Gregory XIII found that ..." you know you're in for a ride:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f076ef44a44d02ed91543f820c14c2c7dff53716
tl;dr: Rockchip decided November should have 31 days...

rtc: rk808: Compensate for Rockchip calendar deviation on November 31st - kernel/git/torvalds/linux.git - Linux kernel source tree

Zach Steindler Dec 2

Andrew Nesbitt Nov 27

Been researching extending git in various ways for a little side project, didn't find a good guide that covers everything so I put one together on my blog: https://nesbitt.io/2025/11/26/extending-git-functionality.html

Extending Git Functionality

A practical guide to the different ways you can extend git: subcommands, filters, hooks, remote helpers, and more.

Andrew Nesbitt

GitHub	https://github.com/steiza
Website	https://coffeehousecoders.org