This is a worthy questioning... We try to reuse, but maybe we do it too much? For sure some ecosystems quickly lead to hundreds of dependencies even for small features.

The browser extension ecosystems are definitely a weak link in term of security. Better not have too many random extensions installed.

Let's hope security teams don't get saturated with low quality security reports like this...

Interesting approach to have secure and decentralized naming while keeping it human readable.

Will we see more deployments of C++ standard library with bound checking by default? It definitely looks tempting.

Seeing the amount of PHP code open on the internet, it's indeed important to harden the runtime (at long last).

Nice chain of attacks. This shows more than one vulnerability needs to be leveraged to lead to root access. This provides valuable lessons.

Fascinating research about side-channel attacks. Learned a lot about them and website fingerprinting here. Also interesting the explanations of how the use of machine learning models can actually get in the way of proper understanding of the side-channel really used by an attack which can prevent developing actually useful counter-measures.

Looks like there are people out there to get Tor relays down... and they found a smart networking trick I'd expect to not work anymore.

Definitely an interesting tool. GitHub Actions workflow aren't easy to setup while ensuring they're secure, having a tool analyzing them for issues can only help.

Nice technique for automating the verification of SSH host keys. It'd be nice to see wider adoption.

Good reminder that /tmp has many security flaws built in.

It's tempting to use uv. It's probably fine on the developer workstation at this point. It looks a bit early to use it in production though, it's a bit young for that and carries questions regarding supply chain security still.

It's a very important project, it's really concerning that this attack went through. The service is still partly disrupted but they're showing signs of recovery. Let's wish them luck and good health. This archival service is essential for knowledge and history preservation on the web.

This one is definitely a bad one. Looks like CUPS is a weak part of the ecosystem, especially when coupled with zeroconf. I wouldn't be surprised to see macOS being affected too.

More details about the KIA security issue. Clearly securing the embedded systems is not worth much if it is then all exposed via unsafe web services.

Could we just stop connecting cars with web access for features we don't really need? Please?

Excellent proof of why you don't want to "rewrite it all in Rust". It's important to respect the old code and focus on applying safety practices on the new code. This is also why the upcoming changes to C++ are worth it, it might improve the interoperability factor almost for free.

Lots of good stuff definitely coming. This should definitely help make it more approachable to lots of people.

People are putting LLM related feature out there too hastily for my taste. At least they should keep in mind the security and safety implications.