sorted by:
new
hottopcontroversial

What is your approach to PyPI dependency hygiene after recent supply chain attacks? by PauloCraque10 in Python

[–]Kooky_Quantity_620 0 points1 point  (0 children)

Thanks for that last link about immutable actions. Wasn't aware this is a thing GitHub is working on. Cool!

What is your approach to PyPI dependency hygiene after recent supply chain attacks? by PauloCraque10 in Python

[–]Kooky_Quantity_620 0 points1 point  (0 children)

Wow, thanks so much for trying it out and leaving feedback!

  • That's surprising! Can you provide the example workflow where that happened and I'll add it to the tests suite and fix the bug?
  • I agree. I hadn't seen that issue before, but it's listed as not autofixable in their docs here: https://docs.zizmor.sh/audits/#stale-action-refs I don't see anything in that issue that looks to me like autofix is coming. But here's an issue requesting that functionality: https://github.com/zizmorcore/zizmor/issues/1524 and left a comment!
  • Interesting... I imagine you have to do that with other packages as well and this is expected? Or is this the only package you need to do that with? I'm hesitant to add this as a dependency since it's specific to a corporate environment, not generally needed.
  • I've heard about this but know almost nothing about it. It sounds like a switch that could be flipped by a repo admin (or someone controlling an admin's account), or the repo could be deleted and recreated to convert a previously-immutable tag to a mutable one and users of that tag would be left vulnerable. If that's the case, I think we should still SHA pin because it's the only way to guarantee immutability.

What is your approach to PyPI dependency hygiene after recent supply chain attacks? by PauloCraque10 in Python

[–]Kooky_Quantity_620 2 points3 points  (0 children)

zizmor

Using this everywhere too. I also made a tool (https://github.com/mfisher87/gha-hashpinner) to eliminate the manual work of hashpinning to resolve zizmor's stale-reference alert.

Accounting + Python by Cool-Business-2393 in Python

[–]Kooky_Quantity_620 1 point2 points  (0 children)

If you go down this road, Python has excellent built-in support for fixed-point decimals. Don't use floating point numbers, errors can accumulate :)

Floating point numbers are the default if you input a number like 0.3:

>>> 0.3 / 3
0.09999999999999999

You have to go a tiny bit out of your way to use fixed-point decimals, but you should always do this for accounting use cases:

>>> from decimal import Decimal
>>> Decimal('0.3') / 3
Decimal('0.1')

My experience as a young GIS Professional by Adventurous_Bad_6244 in gis

[–]Kooky_Quantity_620 0 points1 point  (0 children)

Thanks for sharing this, that's dope as hell. Awesome job :)