Zach Steindler

@[email protected]
142 Followers
177 Following
222 Posts
GitHubhttps://github.com/steiza
Websitehttps://coffeehousecoders.org
Zach Steindler4d ago
David Zinn4d ago
Roger had a very productive weekend.
Show threadZach SteindlerFeb 23

@george @peterhoneyman I can't pass up an opportunity to bikeshed!

What about a cron that runs once every 12 hours that sleeps a random number of seconds between 0 and 12 hours?

It will post on average every 12 hours, not 10, but you could still end up with posts close together (although then you're guaranteed quite a bit of time before the next one). And the posts would be randomly distributed throughout the day.

Not a good approach if you're using a cloud service that charges by the second!

Zach SteindlerFeb 12

The number of CVEs GitHub helps open source projects disclose has more than doubled compared to any 30 day period in the past year. Many of these vulnerabilities are being discovered with LLM assistance, and a natural question is "are they slop?" Using the famously uncontroversial CVSS scores, you can see that there are more low severity and high severity scores compared to a year ago. 🤷 It's complicated!

Sources:
- https://cnapulse.org/cna-detail.html?cna=GitHub_M
- https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=2025-01-12&enddate=2025-02-12
- https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=2026-01-12&enddate=2026-02-12

Zach SteindlerFeb 2
Kris Freedain 🙏 🏋🏻 🍕Feb 1
Time to learn about 'Designing attestations UI' from my friend @erioldoesdesign at #FOSDEM 😀 https://fosdem.org/2026/schedule/event/HCQRVT-designing_attestations_ui_the_security_and_safety_of_oss_package_supply_chain/
-
https://github.com/ossf/wg-securing-software-repos/tree/main/docs/attestations-style-guide
Zach SteindlerFeb 1
Andrew NesbittFeb 1

Finished my git-pkgs talk, thanks for having me @fosdem, I had a blast!

See you again next year, fancy another package manager dev room?

Show threadZach SteindlerFeb 1
@Edent I have been using https://github.com/steiza/sidebar for about a year for this. Like other folks are saying, you need a minimal server (included; that you can self-host) to help the peers find each other, and a STUN server if any links have both peers behind a NAT.
Zach SteindlerJan 31
Andrew NesbittJan 31
Zach is now talking about attestations
Zach SteindlerDec 20
Filippo ValsordaDec 19

Using an age keyserver as a demo, this article demonstrates how to add a transparency log to a centralized service step-by-step.

We use Tessera for the tlog, VRFs for privacy, and the Witness Network. It all takes just 500 lines to integrate!

The result of years of work making tlogs accessible.

https://words.filippo.io/keyserver-tlog/?source=Mastodon

Building a Transparent Keyserver

We apply a transparency log to a centralized keyserver step-by-step, in less than 500 lines, with privacy protections, anti-poisoning, and witness cosigning.

Zach SteindlerDec 10

Are you a senior software engineer in need of a break this holiday season? When someone asks you for feedback, roll a d6 and respond:

6: "what problem are you trying to solve?"
5: "where is this written down?"
4: "is this on the critical path?"
3: "you need to add rate limits"
2: "what features can we remove for the proof-of-concept?"
1: "we tried that 5 years ago and it didn't work"

Zach SteindlerDec 9
OpenSSFDec 8

🎉 The 2025 OpenSSF Annual Report has officially arrived!!!

We invite you to celebrate another year of progress, creativity, and collaboration shaping a safer, more resilient open source community.

Download the report: https://openssf.org/download-the-2025-openssf-annual-report/

#AnnualReport #OSSSecurity