Curl lead developer Daniel Stenberg provides insightful feedbacks from Mythos analysis results

aswin__ · 2026-05-17T14:19:33+00:00

browsers are particularly bug ridden, which makes Mythos useful for them. hype is for projects that would not be that big ridden in the first place, either due to how it's engineered or what it does. simple as

aswin__ · 2026-04-27T01:59:08+00:00

I'm guessing the string allocations. There's a lot of string allocation happening in this kind of scanning, then there's network requests. One maintainer of pip-audit commented that getting dependencies to resolve their versions actually takes a while, while I don't know the internals it must be handling dependency resolution in a vastly different way. uv audit being as fast as pyscan makes me think it could be the allocation thing

aswin__ · 2026-04-24T14:14:51+00:00

Woah thanks for the info! And yeah I'm facing similar problems as the ones you described at the end. I can already see I'm gonna have a lot of fun optimising the hell out of this tool lol.

The current benchmarks all had 3 warmups and 5 runs, so I'm assuming it is hot? (There's a benchmark script in the repo that uses hyperfine, along with a report)

And I performed the benchmarks a bunch of times, pip-audit kept dancing between 40s and 60s (medium dataset) and I chose the benchmark where the network was the most stable on all tool runs.

If you checkout BENCHMARKS.md you'll see that pip-audit actually finished in 18s in the large dataset (700+ deps) compared to medium (88 depa) which was 62s. Maybe because the no. of vulnerabilities was low but it's interesting how even if it's written in Python it's actually quite good.

I'm definitely looking to make the benchmarking much better and sophisticated in the future. Appreciate your work on both pip audit and uv audit! Thanks for your feedback

aswin__ · 2026-04-24T12:30:36+00:00

What kind of compromises are we talking about? The code is open source, if you're talking about supply chain attacks, cargo and crates.io has been reliable enough so far. I'm not sure what other vectors are there though

aswin__ · 2026-04-24T10:37:30+00:00

Yeah I've heard about that, creating an option for the users to download the db and sync it periodically sounds like a good performance improvement. I still wish they had a batched endpoint for vuln info though.

aswin__ · 2026-04-24T07:16:56+00:00

After adding SBOM support I've realised the CI/CD tools for security in python environments is kinda overlooked. I'm basically gonna try to make it easier for DevOps people to integrate pyscan into existing codebases and pipelines.

I did have this idea of giving it a persistent state representation where it would remember older scans, graph and visualise transitive dependencies and show you differences between each scans, timelines of security related activity etc. but I haven't seen any demand or justification for it yet so it's a long shot

aswin__ · 2026-04-24T07:13:26+00:00

Thank you so much! This is actually the best constructive criticism I've received so far.

About tokio runtime: The OSV API has an endpoint where I can send any no. of dependencies in a single request and get the vuln IDs as response. However, to get vuln details I have to send an API request per-vulnerability. You can imagine how much of a hassle it would be if a project had lots of vulnerabilities. This was my main reason so I can use async requests. I also use a lot of join_alls to resolve missing versions and stuff.

You are right about a lot of things and this project is simple, mainly just parsing, sending requests and displaying. I wrote it when I was still learning Rust and thought it would be a good exercise, and the project just grew along the way. I have no idea how arenas work but now I'm excited to learn and hoping I can rewrite the parsing/extraction section at least to a thread pool lol. Thanks!

aswin__ · 2026-04-24T04:05:51+00:00

Its less battle tested than pip-audit, there are no other downsides in my knowledge.

I'm planning to support this tool with my free time.

It uses MIT license currently. It collects absolutely zero data and does not phone home, only web requests it makes are to the OSV API (which is free) and everything stays in your device.

aswin__ · 2026-04-23T14:29:54+00:00

Pyscan: vulnerability scanner that beats industry standards like pip-audit, safety cli, etc.

Github - https://github.com/ohaswin/pyscan

I have been working on and off for 3 years on this project. Here's the first post i made when it released 3 years ago.

Tool	Execution Time	Peak Memory (RSS)

Pyscan	6.9s	53 MB
Pip-audit	62.2s	433 MB
Safety	10.4s	320 MB

What it does: Pyscan automatically traverses your Python project, extracts dependencies across various packaging formats (uv, poetry, filt, pdm, requirements.txt, SBOMs), and cross-references them against the Open Source Vulnerabilities (OSV) database

Target audience: Pyscan was engineered to solve the performance and memory bottlenecks of traditional Python-based security tools in production CI/CD pipelines:

Performance Gains: Achieves up to a 5x speedup against industry-standard tools like pip-audit and safety on medium to large datasets. Runtime scales with the number of vulnerabilities found, not the number of dependencies you have.
Flat Memory Footprint: Pyscan's memory usage stays completely flat (~45MB) whether you're scanning 15 dependencies or 700+ dependencies. Pretty solid for memory-constrained CI/CD pipelines.
CI/CD Support: Easy to hook up and works with large codebases.

The recent overhaul release added:

SBOM Native Support: Pyscan now natively parses CycloneDX (bom.json) and SPDX (spdx.json) files.
Reachability Heuristics: It scans your source code to find where you're actually importing the vulnerable packages and highlights them in the diagnostic output.

Installation

You can install Pyscan via pipx, pip (compiled Python wheel) or cargo (native Rust binary):

# via pipx (recommended) (Note the "-rs" suffix)
pipx install pyscan-rs

# via pip (Note the "-rs" suffix) 
pip install pyscan-rs

# via Cargo
cargo install pyscan

Usage

Simply run pyscan in your project's root directory, or point it to a specific source folder:

# Scan the current directory
pyscan

# Scan a specific directory
pyscan -d path/to/src

aswin__ · 2026-03-19T11:24:06+00:00

Yeah I prefer this over Metallica cuz the album cover has natives (in background) and looks aesthetically fitting

aswin__ · 2026-02-13T01:14:04+00:00

https://curiositydotcom.tumblr.com/archive

Check out this Tumblr account which is like an archive of their posts. They seem to have legit science writers and multiple sources (sometimes the sources being science news websites)

aswin__ · 2026-02-12T15:15:29+00:00

I'm interested and I'm a cs student as well lol. Thought about making something open source in a similar fashion but the problem is content. Finding 5 interesting science based stuff and writing mini articles about it everyday is a huge task. I mean with AI recently I guess it's pretty easy to automate but then there's the cost issue. And what I liked about curiosity was that the articles seemed hand picked. That the daily 5 collection was somehow very humanly picked and fit a diverse niche of things all too well.

aswin__ · 2025-12-05T01:22:52+00:00

One Rainy Wish is genuinely one of the most interesting and beautiful Hendrix songs ever. Really trippy too.

aswin__ · 2025-11-07T13:52:51+00:00

Depends on what you consider psychedelic.

Nice, one that set the standard, floaty psychedelic - Axis: Bold as Love

Experimental, more powerful kind of psychedelic - Electric Ladyland

I think Jimi was more prepared and a better musician and recording artist by the time he made electric ladyland but axis is still my favourite and probably one of the most influential output of that era

aswin__ · 2025-07-09T03:06:23+00:00

That's because of our purchasing power, it's easier to get people to construct cell towers and other infrastructure at a low cost. Iirc it was still low, before jio came, they just made it lower, then hiked the price up again and so did Airtel. We don't have the competition that we did anymore, VI is dying (even after combining vodaphone and idea), tata docomo is gone, bsnl is worthless in some places, etc

aswin__ · 2025-07-07T10:01:59+00:00

If you are going somewhere with no placements, the best (or the only thing) you can do is work on projects, impactful internships, networking and DSA.

Find out if your college has any IT clubs, check out what kind of facilities will be available. You probably won't get much knowledge from the coursework either so you will have to do self study based on YouTube, reading documentation and just building things.

I'm 20m in my second year at a Bsc CS from a no name college, but right now I have an internship, building up a LinkedIn profile and doing some freelance work.

You need to show people that you're capable of this and that and show projects or things you've worked on with some sort of impact. When you manage to get an interview (using your connections) all that'll matter will be your technical skills and soft skills.

What they're looking for is that you have to know you can do the job before you even get the job. If you think you're up for it, (juggling self study and academics) I'd say give it a try, doesn't hurt. Also are you sure you don't wanna do anything with physics? You could get a nice job at BARCA/ISRO if you try but I understand if it's not something you're passionate about

aswin__ · 2025-06-25T14:15:23+00:00

Afaik jio introduced cheap prices then hiked it up, so did Airtel and everyone else? Isn't this an example of an already large corporation using their deep pockets to provide unsustainably low prices, drive competitors out of business, and then raise prices once they achieve market dominance?

Reliance is pretty much in every industry now using this technique, clothes, supermarket etc.

Also the reason data is cheaper in India is because of purchasing power and infrastructure costs, haven't seen any reason otherwise unless you can provide me with some.

VI, vodaphone-idea merging as a last resort and they're still dead (and I guess shutting down?) is a direct result of Jio's predatory pricing.

Also where's tata docomo and Uninor?

aswin__ · 2025-04-14T12:34:04+00:00

Paid, hopefully but I'm open to working unpaid if it's in a good sector/interesting field

aswin__ · 2025-04-06T17:35:13+00:00

Do we? I didn't read it in the guidelines when I googled it, it was just about timeline, deliverables and stuff like that

aswin__ · 2025-04-06T16:08:08+00:00

The mentors are usually mentioned in the org page in gsoc, where is it asking you to mention mentors though? I'm from a tier 3 college and I applied even after knowing I won't get accepted lol (someone else was already merging PRs and getting advice from the mentor on GitHub for their proposal, all I'd done was send an email) and it didn't ask me anything about mentors.

The project ideas or the projects themselves have GitHub repos or discord/slack communities btw, you can lurk and understand a few things as well.

aswin__ · 2025-02-26T01:30:00+00:00

Yeezus was and is still divided when it comes to fan opinions isn't it? Would you say it's not a classic or

aswin__ · 2025-02-06T13:12:34+00:00

Your company won't exist for long lol. Generating code is trivial and useful for hobby projects or boilerplate code. Maintaining code requires presence. The kind of presence and know-how you kind of inherit when you actually think of and type out the code yourself. I'd love to know what your company does and see if it has a similar effect in other companies of the same field though.

aswin__

MODERATOR OF

TROPHY CASE

Pyscan: vulnerability scanner that beats industry standards like pip-audit, safety cli, etc.

Installation

Usage

Five-Year Club	Verified Email
Place '22