Author | Lightnews

Louis Maddox

Louis Maddox

@permutans.bsky.social

110 followers 97 following 1.8K posts

Combinatorially curious https://spin.systems

Posts Media Videos Starter Packs

Pinned

Louis Maddox @permutans.bsky.social · 6d

✍️ Wrote about keeping calm and shipping OSS and why arguing for a feature should feel more like giving a proof against the spec than trying to win a debate cog.spin.systems/keep-calm-an...

Keep Calm and Ship On 🚢

Your guide to being a model OSSizen

cog.spin.systems

Louis Maddox @permutans.bsky.social · 26m

Mulled it for a minute & gcmti is gonna leave it [permanently] optional to use gitoxide (which also means I can avoid dealing with it for an MVP), mainly I just want to prevent git alias hijacking and set a least privilege policy on git ops via config for high risk situations like release automation

Louis Maddox @permutans.bsky.social · 40m

// In a real reply I would not make such a dumb joke
You’re absolutely right!

Louis Maddox @permutans.bsky.social · 41m

Wondering whether there’d be more or less risk from using gitoxide gix crates over git itself and what the upsides would be if any… I mean I guess speed

CVE Sentinel @cve-notifications.bsky.social · Sep 6

ID: CVE-2024-45405
CVSS V3.1: MEDIUM
`gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated...
#security #infosec #cve-alert

Louis Maddox @permutans.bsky.social · 48m

If you are looking for skills you can just search github, I accidentally came across one for uv yesterday github.com/wshobson/age...

which in turn feels like a repackaging of willccbb’s MCP markdown repo github.com/willccbb/cla...

(Both appeared here grep.app/search?q=uv+...)

Louis Maddox @permutans.bsky.social · 1h

I feel like Makefiles are somehow more built to accrete and become balls of pseudo-program whereas Justfiles are somehow more inherently ready to be exfiltrated out into real software, can’t really explain why

Maybe it’s sociocultural but still “the purpose of a system is what it does” and all that

Louis Maddox @permutans.bsky.social · 1h

“your Justfile is my opportunity”

Louis Maddox @permutans.bsky.social · 1h

Hmmmmm wait maybe I do now have a good reason to make this 🗿

Louis Maddox @permutans.bsky.social · 11d

concept: git commit wrapper called ‘giacometti’

crate name giacometti not found on crates . io

Louis Maddox @permutans.bsky.social · 1h

Convinced sufficiently hardened: supply chain attack surface is a task runner binary (🧷 version pin), and the action (🧷 SHA pin)

Nobody can intercept your task recipe without overwriting its file (Justfile recipe names checked for uniqueness)

Maybe `command git` would seal it (prevent alias hacks)

Louis Maddox @permutans.bsky.social · 1h

Officially completely automated my Python package release (can now cut releases from the CI web interface) 🥳 github.com/lmmx/comrak/...

Basically trivial once you’ve siphoned your process into Justfile tasks, the taiki-e/install-action lets you cargo-binstall the just runner in CI

Completely automated Python package release process using a spoofed commit from a ‘bot’ user (CI workflow) rather than me running it manually

Louis Maddox @permutans.bsky.social · 2h

“Official Debian/Ubuntu repositories are out of sync so we host binaries on our CLI marketing site”

How does this happen to an org like *GitHub*? 😔

Louis Maddox @permutans.bsky.social · 2h

GitHub CLI just shipped a breaking change (PR and issue operations now fail with an error about Projects) and requires everyone to upgrade to keep using it… but the latest version isn’t on Linux package managers github.com/cli/cli/issu...

gh issue view fails with GraphQL deprecation warning for Projects (classic) · Issue #11992 · cli/cli

Description gh issue view fails with a GraphQL deprecation warning when querying issues that have project cards. Steps to reproduce gh issue view --repo anthropics/claude-code 10115 Error message G...

Louis Maddox @permutans.bsky.social · 2h

What if we normalised applying codemods to multiple repos at once… Would be a big force amplifier for task runners and configs where you tend to find an entirely better way of doing things but then have to deal with re-releasing in multiple places

Reposted by Louis Maddox

Marco Zocca @ocramz.bsky.social · 8h

Can confirm, for one-off tools the New Way is an incredible force multiplier.

In org settings, it shifts the power balance between waiting and doing.

The problems as always start when that little prototype becomes load-bearing in any sense (must be maintained, other people depend on it etc)

Eugene Vinitsky 🍒 @eugenevinitsky.bsky.social · 14h

One of our students vibed an extremely useful map visualizer in a few hours. We would just never have done it before because it would have been a week of work. We are in a new world.

Louis Maddox @permutans.bsky.social · 10h

addendum: the pyo3-ffi max cpython version is crate meta… yyyoink and full automation achieved github.com/PyO3/pyo3/di...

How to automatically pick up maximum supported Python version · PyO3 pyo3 · Discussion #5556

I don't suppose this is exposed in any metadata besides this error message is there? error: the configured Python version (3.15) is newer than PyO3's maximum supported version (3.14) If this is exp...

Louis Maddox @permutans.bsky.social · 12h

You can’t spell acrobatics backwards without “CI”

Louis Maddox @permutans.bsky.social · 13h

aaand PyO3 imposes an upper bound so I added one

Example of the same scripts as above with an upper bound on the versions too

Louis Maddox @permutans.bsky.social · 14h

Alternative version that lower bounds the listed cpython versions by the `requires-python` version in pyproject TOML gist.github.com/lmmx/0a3cfb8...

List of CPython versions parsed from `uv python list` output, then again taking into account the lower bound introduced by the `project.requires-python` key in pyproject.toml

Louis Maddox @permutans.bsky.social · 15h

Got it 😄 `uv python list --all-versions` has structured JSON!

Messages in the Astral Discord server answering my own question by showing two ways to use structured JSON from the `uv python list` command to extract all the supported Python versions for a given package (including free threaded variants)

Louis Maddox @permutans.bsky.social · 16h

Oh awesome I was wondering how to do it for pure Python packages: github.com/astral-sh/tr...

"A complete, self-contained example for trusted publishing with uv" (specifically the last job here github.com/astral-sh/tr...)

Runs smoke tests on the package [wheel & sdist tarball] itself!

GitHub - astral-sh/trusted-publishing-examples: A complete, self-contained example for trusted publishing with uv

A complete, self-contained example for trusted publishing with uv - GitHub - astral-sh/trusted-publishing-examples: A complete, self-contained example for trusted publishing with uv

Louis Maddox @permutans.bsky.social · 16h

Anyone have a nice CI test workflow for Python that automatically generates the version matrix from the requires-python metadata // otherwise low maintenance and `uv`-maxxing?

Reposted by Louis Maddox

Geoffrey A. Fowler @geoffreyfowler.bsky.social · 1d

ChatGPT’s new Atlas browser doesn’t just see what you read — it remembers it.

@eff.org’s Lena Cohen showed me it even logged “memories” of her looking for *abortion care* and her doctor’s name. Out-surveils even Chrome.

My @washingtonpost.com column: wapo.st/49bOcVC

Column | ChatGPT just came out with its own web browser. Use it with caution.

OpenAI’s Atlas promises AI-powered convenience. The price? Letting ChatGPT track and store “memories” of what you do online.

Louis Maddox @permutans.bsky.social · 21h

Early new year’s resolution: get to 100% PyPI Trusted Publishing releases before the new year

Louis Maddox @permutans.bsky.social · 22h

Ah nice there were a few improvements just made to harden the CI github.com/j178/prek/pu...
Jarek from Airflow points out that octopin (from Eclipse Foundation) can be used to enforce SHA pins as a pre-commit hook github.com/eclipse-csi/...

Background on zizmor: bsky.app/profile/josh...

Louis Maddox @permutans.bsky.social · 1d

Original blog: blog.daviddodda.com/how-i-almost...
VirusTotal report: www.virustotal.com/gui/file/e2d...

URL obfuscated via byte array in the JavaScript code given as a take home task in a “job interview scam” targetting applicants

Louis Maddox @permutans.bsky.social · 1d

A new “job interview scam”, reverse of the ‘IT worker scam’, here people pose as an exec at a [real] company but the take-home task runs malware (here in a React/Node codebase) www.theregister.com/2025/10/16/n...

> JADESNOW uses EtherHiding to fetch, decrypt, and execute malicious payloads