Eric Chiang

It turns out workload identity isn't a complete mess in 2025 (only a little one)? Wrote a bit about authenticating GitHub Actions identity directly using OpenID Connect.

Oh hey, what's this fancy new IAM company?

A friend needs a Workday test instance to build something interesting. Anyone know how to get one?

(A Workday instance; I kinda already know how to get a friend.)

We're doing new container runtimes in 2025? Hell yeah

So if I'm reading this right

Step 1 - generate a private key with no forward secrecy

Step 2 - upload private key to twitter (but don't worry it's protected by a low entropy PIN)

Ummmmmmmmm

So that's effectively the AWS story, which is terrible but at least it's possible to cobble together something that works and you can audit. Google looked at this and said "what if we could express how much we hate Infrastructure teams as a service?" Expensive coffee robots were engaged, colorful furniture was sat on and the brightest minds of our generation came up with a system so punishing you'd think you did something to offend them personally.

Every day I'm glad my job isn't staring into the IAM abyss of a large Cloud org.

matduggan.com/iam-is-the-w...

What a sicko

Every time you feel useless, remember that GitHub as a notifications tab

Meta Awarded $167 Million in Damages From Israeli Cybersecurity Firm

who needs coherent cyber policy when we excel so much at corporate ligation?

www.nytimes.com/2025/05/06/t...

runtime: green tea garbage collector · Issue #73581 · golang/go Green Tea 🍵 Garbage Collector Authors: Michael Knyszek, Austin Clements Updated: 2 May 2025 This issue tracks the design and implementation of the Green Tea garbage collector. As of the last update...

New experimental garbage collector for Go programs! github.com/golang/go/is...

@mayakaczorowski.com's been using it a ton and had great things to say.

📣Today, we’re super excited to announce our latest product addition: Continuous Profiling for GPUs! Check out the use cases and sign up for early access on the announcement post! 🔥📈

www.polarsignals.com/blog/posts/2...

You're not even using nix packages? What kind of tech hipster are you?

Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog Wiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.

Scraping Kubernetes codebases for os/exec continues to pay dividends

www.wiz.io/blog/ingress...

"middleware:middleware:middleware:middleware:middleware" is the new bloody mary

zhero-web-sec.github.io/research-and...

I really wish progressive web apps took off so every app didn't come with a chrome fork

GitHub - Zouuup/landrun: Run any Linux process in a secure, unprivileged sandbox using Landlock LSM. Think firejail, but lightweight, user-friendly, and baked into the kernel. Run any Linux process in a secure, unprivileged sandbox using Landlock LSM. Think firejail, but lightweight, user-friendly, and baked into the kernel. - Zouuup/landrun

Awesome to see Landlock making unprivileged isolation so easy. As someone who maintained bubblewrap jails, I'm hoping that this takes over user namespaces. Things like network controls are always mess there.

github.com/Zouuup/landrun

Quick reminder:

Was it petty? Yes. Was it necessary? Also yes.

Quick reminder:

Sign in as anyone: Bypassing SAML SSO authentication with parser differentials Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.

"No way to see this coming" says only auth protocol with regular auth bypasses

github.blog/security/sig...

A Python code comment that says "Welcome to the spaghetti factory"

"Vibe coding will ruin the quality of our codebase!"

The codebase:

github.com/pandas-dev/p...

On my way to New York! I’ll be in there from Monday until Thursday evening, and still have some room to meet on Wednesday afternoon, anyone want to chat databases/observability/performance? Feel free to DM me!

I finally read up NVIDIA Confidential Compute, so you don't have to! Surely this will make all of our AI secure

ericchiang.github.io/post/confide...

Do OSS, it'll be fun!

*Ten years later and still getting reports on my day off about other people's buggy implementations*

According to Giraffe Security, AWS staff have somehow managed to re-introduce the same RCE vulnerability into its platform three times over the past four years

giraffesecurity.dev/posts/amazon...

Attestations: A new generation of signatures on PyPI For the past year, we’ve worked with the Python Package Index (PyPI) on a new security feature for the Python ecosystem: index-hosted digital attestations, as specified in PEP 740. These attestatio…

One of the coolest pieces of security tech I read about in 2024 was PyPI's builder identity verification done by Trail Of Bits. Didn't see much fanfare in my feeds when it was published, but defiantly worth the read.

blog.trailofbits.com/2024/11/14/a...

Streaming media DRM has nothing to do with TPMs and the FSF is just plain wrong: mjg59.dreamwidth.org/70954.html

Reminds me of Go's codereview plugin, which presents a higher level "change" abstraction on top of git. Figure if you're running a large project, you've already got a PR style guide. Much easier if you can just say "use this tool to contribute"

pkg.go.dev/golang.org/x...

If the rust compiler is slow, why don't rustaceans simply rewrite it in rust?