Most security reports could be a couple sentences and a small code snippet, and would be better for it. I hate that every report is written as if it were a blog post about their finding and how it's the greatest disaster of all time. Write as if you're having a dialog with a knowledgeable maintainer, wait for questions to elaborate if needed. LLMs have not made this better either.

@jacob I hope Gender Dr. has a side street named Miss Pl.

@glyph @jacob The hackerone AI pivot makes sense to me. There is a lot of value in automating so much of that work now that we can. Anyone seeking bounties is already doing the same.

@jacob agreed, they aren't high value for community run open source. Well resourced commercial entities can justify it. The Googles, Apples, and Microsofts have TM bearing Brands and Contractual Obligations to maintain.

Anyone trying to collectively organize bounties for OSS projects (is this what hackerone was doing?) is already on shaky ground if they don't provide expertise based filtering of reports seeking a bounty as part of that so that only actually worthy ones make it through to the volunteers.

At the end of the day, a security bug bounty program is a way to underpay a tiny fraction of gig-workers competing for work. In direct financial competition with their alt-gig-reward system of zero day exploit markets and state sponsored equivalent employers.

@nedbat Soo much test flakiness due to lru_cache decorators being added to codebases over time. Much hunting down caches and plumbing clears into fixtures ensues. I think in hindsight offering functools.lru_cache as a decorator was a bit too magical of a code pattern. I'd like anything cached to require a _cached suffix on its name. But that only solves highlighting immediate use of APIs where the name is seen. Most code involves transitive calls.

Use of a cache is effectively a taint that'd be nice to propagate upwards - it sounds like `pytest-antilru` effectively attempts this?! nice! - so that any given API use could be introspected to understand what caches code touched and how to clear them.

Runtime tracking such as the above is neat and practical. But from a static analysis PoV. It's "just" metadata on the data flow graph. I wonder what other design mistakes could be prevented via analysis if that were readily available without running the code.

The folks at #Retraction #Watch are my #science #heroes, detecting #falsified scientific studies. Follow the link to read about all that they do: https://www.thetimes.com/uk/science/article/science-journals-retract-500-papers-a-month-this-is-why-it-matters-8ckm8lfw9

🚀 Calling all Startups! 🚀

Good news! The #PyConUS 2026 Startup Row application deadline has been extended to January 30, 2026.

Don’t miss your chance to showcase your startup to the Python community! 🐍

Details and how to apply
👉https://us.pycon.org/2026/attend/startup-row/

@nyanbinary
Nobody can reply because they're still stuck trying to understand all of the regexes that claim to be for validating an email address.

Look I know it's not a competition to have the _most_ maladaptive coping mechanism but you go to war with the psyche you have

Happy Solar New Year! My goal for this quarter is to figure out what kind of work I want to start looking for, and to put together a solid resume. To that end, I have a favor to ask. If you have any recent experience with looking for work, or any experience hiring folks, I'd like to pick your brain. If you've been looking for work or found a job, I want to know what worked for you and what didn't. If you're a hiring manager, I want to know what you look for, what kinds of questions you ask, and any other advice or ideas you may have. My initial list of questions is short, but I'm sure it will evolve as I talk to more folks. If you're up for having a chat with me, let me know and I will send you a meeting schedule link.

Boosts greatly appreciated.

#GetFediHired #HiringAdvice

@Ijohnson
@brass75 No strings attached.

The web as your plan B

I hate to see AT Proto use up creativity of web developers that imho haven't realized that they're pouring their ideas and work into someone else's platform, and that in the end they will control every bit of content that flows through their network. They might let you in, but I doubt they would do that until they had a feature that competes with your add-in.

Sure you can build another network using their identity system, and that was exactly the deal Twitter offered us. I went for it — who wants to develop a new identity system, when good old Twitter was letting us use theirs. I really think they meant well, sort of fits in with Jack Dorsey's way of looking at things.

It was a good deal for a lot of years, but then one day Elon Musk bought the company, and soon all bets were off. We had little warning before we had to move our act and all our users to another identity system. Lost a lot of traction right there.

My advice — think this through, now. And if you can't see a way that you share in the success of the company behind Bluesky, which we know very little about, then I urge you to at least have the web as a backup. Use a standard format to broadcast your writer's work to places outside the AT Proto-verse, so we can pick up your signal, and you'll still be on the air if they yank your chain. This alone might get the Bluesky folk to listen to you more carefully. My experience, no matter how much you want, you can't wish away the economics of this stuff.

@hugovk
Woo, I get a break! 😁
@pumpichank @dongheena @savannah @Yhg1s

Automatic license plate readers may seem like a good idea until you hear about the ways they enable cops to abuse women, all while not actually making you any safer https://skepchick.org/2025/11/the-police-state-gets-flocked/

There's a nasty #OpenSource #SupplyChain worm going around named Shai-Hulud. It's also capable of exposing some projects' long-lived PyPI API Tokens. Read more on what's happening, and what you can do to protect your projects.

TL,DR: Adopt Trusted Publishing 🔐🚀📦

https://blog.pypi.org/posts/2025-11-26-pypi-and-shai-hulud/

🚨 New for #PyConUS 2026! 🚀

We’re adding 2 dedicated Talk tracks:
🔒 Trailblazing Python Security – making Python & PyPI safer
🤖 The Future of AI with Python – AI tools, ethics, & learning

Submit your talk before December 19! https://pycon.blogspot.com/2025/11/trailblazing-python-security-pycon-us-2026.html

Some of you want life to go back to how it was in 2016. That's your version of The Good Time (tm), because it was before ICE raids, and DOGE, and before science funding cuts.

But that's not what I want.

I want to go forward to The Good Times(tm), where Black folk don't get treated like this either

The wait is over — #PyConUS 2026 is here! 🙌

The #PyConUS 2026 site is now LIVE and the Call for Proposals is OPEN! We can't wait to welcome you to Long Beach, CA this spring and spotlight the incredible work happening across the Python community 🐍

👉 Details: https://pycon.blogspot.com/2025/10/pycon-us-2026-call-for-proposals-now.html

🤣Oh no!

Someone must have clued Trump in to the fact that Venezuelan crude oil is higher quality than Saudi crude, but that Nigerian is even higher quality than Venezuelan.

And that Nigeria has the largest oil reserves in Africa. More than 3X more than Ukraine, Mexico, and Australia... combined.

Because I assure you he does not care about Nigerian Christians. At all.

I already wrote a thread on Islamic terrorism in Nigeria, and how fighting that does not require Islamaphobia.♥️🕊️

1. Terrorists in Nigeria killed more people than either Al-Qaeda or ISIS
2. Most of their victims, are muslim
🙂🙃

https://hachyderm.io/@mekkaokereke/112780201015569715

And Nigeria has large reserves of rare earth minerals needed for the EV transition.

But yeah, Trump loves Nigerian Christians all of a sudden? No. Just... no. 🤡

He doesn't even show love for Black US Christians! But now we're supposed to believe that he's worried about Nigerians?

If he's so worried about Nigerian Christians, let him increase the asylum approvals! Like he did for South African farmers, right?

But you already know that he's not going to do that.

Very excited to see that https://github.com/j178/prek exists.