Awesome! A substandard SBOM is better than none, and a highly detailed SBOM is better than that 🤓 then plugging it into something like dependency-management-data or guac to understand more about your software estate is a great next step. Making sure the runtime environment is safer is a great shout too - recently found out about OpenSSF's S2C2F which has some good stuff in there around reducing supply chain security risks too
IndieWeb post types
This content type is full of IndieWeb post types, which are all content types which allow me to take greater ownership of my own data. These are likely unrelated to my blog posts. You can find a better breakdown by actual post kind below:
Bookmarked
Everything I Know About the Xz Backdoor
by
Post details
stateunstableinblogdate3/29/2024 😖 Unstable Updating at the speed of light, blink once and a word could be gone! These nodes are eratic, unstable, dangerous, but that's why they are fun. Please note: …
Reposted
Hynek Schlawack (@hynek@mastodon.social)
Post details
I know nobody wants to admit it, but security shit shows like heartbleed, log4shell, or xzgate are kinda exciting times to live thru. 🤓 Also I’m afraid it’s the only way to prove the problems we’ve been droning about for years are real and not made up by greedy maintainers.
Liked
Matthew Skelton (@matthewskelton@mastodon.social)

Post details
Attached: 1 image Today's status: neurospicy 🌶️

Reposted
Gabe Kangas (@gabek@social.gabekangas.com)

Post details
My heart goes out to xz. A single maintainer, who was clearly in a rough place with mental health, screaming out to the world for some help and additional contributions, and somebody shows up wanti...
Reposted
James Smith 💾 (@Floppy@mastodon.me.uk)

Post details
Attached: 1 image @bob

Reposted
ROTOPE~1 :yell: (@rotopenguin@mastodon.social)
Post details
@0xabad1dea@infosec.exchange that's a warning to malware state actors - do not get between a db guy and performance. They will fuck you up.
Between and I took 10018 steps.
Liked
Dan Pope (@danielthepope@mastodon.me.uk)
Post details
This game came by at just the right time. Covid gave me the perfect excuse to play this game for hours on end without feeling guilty, and now I’ve finally achieved 5 stars! 🐶💩⛳️ I binned the bag in 4 throws, rating ⭐️⭐️⭐️⭐️⭐️ https://vole.wtf/dog-poo-golf/
Reposted
yossarian (1.3.6.1.4.1.55738) (@yossarian@infosec.exchange)
Post details
my only contribution to the xz discourse: absolutely none of the supply chain stuff we're currently doing, including the things i like, would have stopped this. the only things that can stop this are (1) compulsively treating all code as untrusted, and (2) way, way stronger capability checks and restrictions in running systems. (1) is economically infeasible (the world runs on free labor from OSS), and (2) has had only very limited practical success.
Reposted
Jonathan Corbet (@corbet@social.kernel.org)

Post details
Random, unordered, probably useless thoughts on today's apocalypxze... Part of the success in getting this into Debian may be the result of there being no xz maintainer there. It is "maintained" ...

Reposted
Geoffrey Thomas (@geofft@mastodon.social)
Post details
@glyph @eb@social.coop I'm frustrated that big tech's efforts to increase core library security are "your project is too popular, you must use 2FA" and "the best reverse engineers in the world will find your bugs and put you on a 90 day disclosure deadline" and not "here is $100K/year and benefits to keep doing what you're doing at your own pace."
Reposted
Glyph (@glyph@mastodon.social)
Post details
@eb@social.coop I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html
Reposted
Soldier of FORTRAN :ReBoot: (@mainframed767@infosec.exchange)

Post details
Attached: 1 image #xz #CVE #cve20243094 #Linux

Reposted
danielle 🏳️🌈 (@endocrimes@toot.cat)
Post details
It’s not surprising that a major security vulnerability is once again caused by maintainer burnout and someone stepping in to take over. We’ve all been talking about that risk for years. Sadly it’s also unsurprising that OSS teams still are going to need to plead with management to stay funded, and paid OSS maintainers will still do unpaid overtime to work with volunteers. 🙃.
Liked
Make Checkpoint | Kyle Shevlin
by

Post details
Learn how to create a simple Makefile to quickly create a "checkpoint" in your Git history when you are rapidly prototyping.

Listened to
13% of the time, Devin works every time (JS Party #317)

Post details
Jerod, KBall & Nick discuss the latest news: Devin, Astro DB, The JavaScript Registry, Tailwind 4 & Angular merging with Wiz. Oh, and a surprise mini-game of HeadLIES!

Liked
Read it never...
by

Post details
I believe I’m a huge consumer of information just like every other people with the internet. The internet has blessed us with access to i...

Listened to
A RedMonk Conversation: Engaging with Developers on Hacker News (With Dan Moore) | PodServe.fm

Post details
Join RedMonk analysts James Governor and Kate Holterhoff as they chat with Dan Moore about Hacker News, the social news website for developers. This conversation digs into significant questions concerning this network that include not only what makes it unique, but also the special sauce that makes developers flock there. Moore suggests strategies for vendors hoping to successfully engage this community, and more general best practices for becoming involved. This RedMonk Conversation was originally published in video form on March 28, 2024.

Liked
Mark Wolfe (@wolfeidau@awscommunity.social)
Post details
Big fan of oapi-codegen for building openapi specified, contract first Go based APIs, great to see a v2 release reduced module dependencies, and isolated examples in another module! Great pattern to learn and understand. #golang #openapi https://github.com/deepmap/oapi-codegen/releases/tag/v2.0.0
Liked
Marcus Noble (@Marcus@k8s.social)
Post details
I really wish Spotify would quit with all the bullshit and just focus on music. That’s the only thing they’re good for, why is that so bad?
Liked
Alex Wilson (@probablyfine@tech.lgbt)
Post details
Doing a bit of TDD as a treat (I require the dopamine from seeing red turn into green)
Liked
taco (@taco2054@infosec.exchange)
Post details
just realized Easter and the Transgender Day of Visibility coincide this year which means it's the world's ultimate egg hunt
Reposted
Josh Simmons (@josh@josh.tel)
Post details
Love to see forks emerge when a company gets greedy and transitions to source-available after years of accepting third party contributions and establishing market share under an open source license.
Liked
fromjason.xyz 🖤 (@fromjason@mastodon.social)
Post details
@steve@s.yelvington.com BREAKING: Old white guy tells marginalized groups there's nothing to worry about; they may actually be the fascists. More later tonight.
Reposted
Rob Ricci :real: (@ricci@discuss.systems)
Post details
Hey, with people in the news getting sentenced to prison, facing the possibility of prison time, etc., just a reminder: it is not desirable, nor funny, that violence in prison (including sexual violence), be a part of someone's punishment. Even people you really, really do not like who have done really super bad things. It is to the United State's shame that violence in prison is part of our carceral system, and we should not celebrate it, ever. We should seek to eliminate it.
Liked
Terence Eden (@Edent@mastodon.social)
Post details
Found a whole new level of security incompetence. Went to type in my 2FA code, but nothing appeared on screen. They hadn't disabled pasting. Instead, they used JavaScript to ensure that only numbers could be typed in. But only numbers from the number row of my keyboard. I was using my NumPad which, as every good developer knows, uses different event codes! https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent/code
Reposted
CatSalad🐈🥗 (D.Burch) :blobcatrainbow: (@catsalad@infosec.exchange)

Post details
Attached: 1 image Going to need slightly bigger [truth table](https://en.wikipedia.org/wiki/Truth_table)... :calculator:

Listened to
#72 - Give People What They Came For, with Jerod Santo

Post details
Today I got the pleasure to chat with Jerod Santo, the Managing Editor at Changelog Media. Picture this – a podcast that not only uncovers the intricacies of Jerod's career but also shares some unconventional lessons learned from his work. From navigating the ever-evolving tech landscape to spearheading Changelog, Jerod brings a wealth of experience that transcends your typical engineer expectations and taps into the heart of what it means to build a sustainable developer community.

Listened to
We're flipping the script with Katherine from Open at Intel & Den from The Work Item (Changelog Interviews #584)

Post details
Script flipped! Today we’re sharing two interviews of us on Other People’s Podcasts (OPP): Kathrine Druckman from the Open at Intel podcast invited us on the show at KubeCon NA in November and Den Delimarsky hosted Jerod on The Work Item podcast in February.

Between and I took 8537 steps.
Liked
GitHub - benjifs/sparkles: a micropub client

Post details
a micropub client. Contribute to benjifs/sparkles development by creating an account on GitHub.
Liked
On Tech Debt: My Rust Library is now a CDO
Post details
Bringing the great successes of financial engineering to Rust.
Liked
Representing State as interfaces in Go
by
Post details
I made up a neat little pattern in Go the other day. It’s a way to represent a state change in a system by exposing different APIs for different states, while only holding state in a single underlying struct. I’m sure I’m not the first person to invent this, and it may already a name, so please let me know if you know of one. I’m going to show an instance of the pattern first and the motivation after.
Listened to
Going Open Source at Convex with James Cowling - Software Engineering Daily
by

Post details
Convex is a serverless backend platform to simplify fullstack application development. Its underlying database is written in Rust, and it uses TypeScript to integrate with reactive UI frameworks. The platform is growing, which has presented new reasons to make the code open source, and Convex recently released the source code for a self-managed version of

Liked
Redis License Shift Splits Community: Open Source Contributors Move to Fork - Socket

Post details
Redis is no longer OSS, breaking its explicit commitment to remain under the BSD 3-Clause License forever. This has angered contributors who are now working to fork the software.

Between and I took 6491 steps.
Reposted
Michael W Lucas¹ :flan_mail: (@mwl@io.mwl.io)

Post details
Hey everyone! #vultr just enshittified! They re claiming ownership of all intellectual property you host on their VMs. https://grimgreenfo.rest/notes/9rdle0uyo4d30029 Clear violation of copyright law. So, where are people moving to? What options are out there? that suck less?

Listened to
Engineering Enablement by Abi Noda | 10 years of driving developer productivity at Yelp | Kent Wills (Yelp)

Post details
On this week's episode, Abi interviews Kent Wills, Director of Engineering Effectiveness at Yelp. He shares insights into the evolution of their developer productivity efforts over the past decade. From tackling challenges with their monolithic architecture to scaling productivity initiatives...

Liked
Anders Eknert (@anderseknert@hachyderm.io)
Post details
@Marcus@k8s.social Huh, I hadn't noticed they too changed their license. We're going to need tools to help avoid projects not hosted by a foundation in our supply chains if this keeps up. Maybe some Rego rules in @www.jvt.me@www.jvt.me 's DMD :) https://dmd.tanna.dev/
Listened to
Debugging with Matt Boyle & Bill Kennedy (Go Time #309)

Post details
In this episode Matt, Bill & Jon discuss various debugging techniques for use in both production and development. Bill explains why he doesn’t like his developers to use the debugger and how he prefers to only use techniques available in production. Matt expresses a few counterpoints based on his different experien...

Listened to
The Business of Open Source | Ensuring a Project's Long-Term Survival with William Morgan

Post details
This week on The Business of Open Source, I have an episode recorded on site at KubeCon EU in Paris with William Morgan, CEO of Buoyant. We had a fabulous conversation, which touched on some touchy subjects, including Buoyant’s slightly changing relationship with Linkerd. But we talked...

Listened to
Retirement is for suckers with Cameron Seay (Changelog & Friends #36)

Post details
THE Cameron Seay joins us once again! This time we learn more about his life/history, hear all about the boot camps he runs, discuss recent advancements in AI / quantum computing and how they might affect the tech labor market & more!

Very open to supporting addition of more rules and custom advisories 😁
Between and I took 3733 steps.
Liked
Terence Eden (@Edent@mastodon.social)
Post details
Wondering what the world would look like if we implemented "Universal Basic Website". Entitle everyone to their own domain, a few GB of space, the ability to run simple apps / blogs / etc. What does the world look like if people aren't beholden to Flickr / Facebook / Google Photos to share their family albums? #UBI
Liked
Aral Balkan (@aral@mastodon.ar.al)
Post details
@ErikJonker@mastodon.social @Edent@mastodon.social Here’s an article about our pilot project in Ghent seven years ago (!!!) now. Unfortunately, a conservative local government took power and cancelled our funding. https://www.demorgen.be/nieuws/gent-wil-burgers-eigen-stukje-internet-geven~b92ec1b4/
Liked
Aral Balkan (@aral@mastodon.ar.al)
Post details
@ErikJonker@mastodon.social @Edent@mastodon.social My goal with the Small Web (Kitten, Domain, and Place) is to launch as a paid service so we can pay the mortgage and then, hopefully as people use it and maybe even as other orgs host Domain instances, to go to the EU, etc., and say “it works – now support this with our taxes.” We’ll see how it goes. The fact that we have had €zero EU funding to date doesn’t exactly fill me with hope.
Liked
Aaron Patterson (@tenderlove) on Threads

Post details
I got a new computer from work and my cat has blessed it with her face juice, so I think I can send the old one back now
