@mer@cdrom.tokyo flat penis is less scary than a ringing phone

<p><span class="h-card" translate="no"><a href="https://hachyderm.io/@liztai" class="u-url mention">@<span>liztai</span></a></span> It is your website! Do whatever pleases you. I am doing the same and I am really enjoying it. I have decided, though, that most of my members-only content will be made public after a short period of time.</p>

Is that your phone in your pocket or is your penis flat, rectangular and ringing?

<p>Few of the mooted software-supply chain defences would have prevented this, as the attacker was a (relatively) long-term maintainer, was not averse to using sockpuppet accounts and was careful to hide their exploit from automated tools. </p><p>Worse, many of the solutions being offered increase the workload on maintainers. But maintainer burnout was a key factor in this incident. We need to find a way to support maintainers while being proscriptive or parentalistic.</p><p>3/n</p>

<p>One factor in this incident was deep, unexpected dependency chains. I wish distributions would start taking a more minimalist approach to the options they enable in the default packages they ship. </p><p>What fraction of the sshd userbase actually needs Kerberos or SELinux (which also depends on liblzma) enabled? Put that stuff in an alternate package and reduce the exposure for the rest of your users. Fewer dependencies means less attack surface and less supply-chain risk</p><p>2/n</p>

<p>Here&#39;s my 2c on the xz incident.</p><p>This is the nearest of near-misses. Anyone who suggests this was any kind of success is a fool. No system caught this, it was luck and individual heroics. That&#39;s not acceptable when unauthorised access to ~every server on the internet is on the table. We need to find a way to do better.</p><p>1/n</p>

<p><span class="h-card" translate="no"><a href="https://ngmx.com/@pathunstrom" class="u-url mention">@<span>pathunstrom</span></a></span> something like this may be.</p><p>- Get the parsed source of `spam`:</p><p>spam_ast = ast.parse(inspect.getsource(spam))</p><p>- get all annotated assignments:</p><p>assignments = [n for n in spam_ast.body[0].body if isinstance(n, ast.AnnAssign)]</p><p>- find out names and types:</p><p>for a in assignments:<br /> print(a.target.id, a.annotation.id)</p>

<p><span class="h-card" translate="no"><a href="https://mastodon.social/@whitequark" class="u-url mention">@<span>whitequark</span></a></span> i assure you litex is giving me more than one problem</p>

<p><span class="h-card" translate="no"><a href="https://ngmx.com/@pathunstrom" class="u-url mention">@<span>pathunstrom</span></a></span> ah, I misunderstood. Tried to look now around `inspect` and `ast` modules, but couldn&#39;t find anything off-hand.</p>