Zach Steindler

Looking at push activity is so much better than individual commits. Pushes are authenticated, unlike commit author identity. Looking at pushes you can more easily verify security practices, like requiring reviews (see #source-track" target="_blank" rel="nofollow noopener">slsa.dev/spec/v1.0/futu…). Excited to see where this goes!

An important update on our efforts to secure PyPI with multi-factor authentication: blog.pypi.org/posts/2023-05-…

We Want to Hear from You 🔊👂➡️ Take the OpenSSF Software Security Awareness Survey openssf.org/blog/2023/05/1…

Last week was a big one for open source security: - slsa.dev/blog/2023/04/s… - github.blog/2023-04-19-int… - blog.pypi.org/posts/2023-04-… ... and yet, there's so much more to do. I'm excited to serve on the 2023 OpenSSF TAC!

Big day for open source security! npm worked with the open source project Sigstore to put together a beta of provenance, verifiably tying npm packages back to their source code and build instructions: github.blog/2023-04-19-int…

Today we're proud to announce the release of version 1.0 of SLSA 🎉 Supply-chain Levels for Software Artifacts is an OpenSSF project that provides specifications for software supply chain security, established by community expert consensus. #OSSecurity

@drunkenwood There are also aperiodic tiles, which cover a surface with a pattern, but the *pattern never repeats* github.com/steiza/postscr…

🗒️ gh-sbom A gh CLI extension that outputs JSON SBOMs (in SPDX or CycloneDX format) for your GitHub repository github.com/advanced-secur…

✍️ Sigstore project announces general availability and v1.0 releases Two of @projectsigstore foundational projects, Fulcio and Rekor, published v1.0 releases as well @steiza on why GitHub is excited github.blog/2022-10-25-why… By @davelester, @rdcallaw opensource.googleblog.com/2022/10/sigsto…

Why is the @projectsigstore GA a big deal for developers? @steiza breaks it down for you. github.blog/2022-10-25-why…

Really loving all the excitement about @npmjs and @projectsigstore today. Thanks @lilyhnewman for interviewing @lorenc_dan and I on it today! wired.com/story/github-c…

Extremely excited about this. The npm team has been collaborating with GitHub's package security team for months putting together an RFC to improve the audibility and trust of npm packages using SigStore and trusted build infrastructure github.blog/2022-08-08-new…

Want to secure your builds, in the cloud, without scattering API keys everywhere? Come see my talk in ~25 minutes: youtube.com/watch?v=YHZdkp… or see my slides after at coffeehousecoders.org/blog/cloud_bui… #fwdcloudsec

@twbrandt Afterwards we found sylvan-township.org/consumers-will…

An exciting evening in #chelseami

Want to use GitHub-hosted Actions runners, but need to access resources on your private network? You’re in luck! We’ve documented 3 ways to do it ⬇️. github.co/3NbDkJE

@bdimcheff @akgood Yeah, you run the SSH CA, so you can have it enforce whatever requirements you'd like! Maybe you could convince @akgood to open source a serverless SSH CA that runs on GCP 👀

No new emoji flags, based on this post from the Unicode Emoji Subcommittee Chair (which has to be one of the best job titles I've ever heard): blog.unicode.org/2022/03/the-pa… cc @99piorg @BradyHaran @cgpgrey