Celebrating our 2025 open-source contributions

Last year, our engineers submitted over 375 pull requests that were merged into non–Trail of Bits repositories, touching more than 90 projects from cryptography libraries to the Rust compiler.

This work reflects one of our driving values: “share what others can use.” The measure isn’t whether you share something, but whether it’s actually useful to someone else. This principle is why we publish handbooks, write blog posts, and release tools like Claude skills, Slither, Buttercup, and Anamorpher.

But this value isn’t limited to our own projects; we also share our efforts with the wider open-source community. When we hit limitations in tools we depend on, we fix them upstream. When we find ways to make the software ecosystem more secure, we contribute those improvements.

Most of these contributions came out of client work—we hit a bug we were able to fix or wanted a feature that didn’t exist. The lazy option would have been forking these projects for our needs or patching them locally. Contributing upstream instead takes longer, but it means the next person doesn’t have to solve the same problem. Some of our work is also funded directly by organizations like the OpenSSF and Alpha-Omega, who we collaborate with to make things better for everyone.

Key contributions

• Sigstore rekor-monitor: rekor-monitor verifies and monitors the Rekor transparency log, which records signing events for software artifacts. With funding from OpenSSF, we’ve been getting rekor-monitor ready for production use. We contributed over 40 pull requests to the Rekor project this year, including support for custom certificate authorities and support for the new Rekor v2. We also added identity monitoring for Rekor v2, which lets package maintainers configure monitored certificate subjects and issuers and then receive alerts whenever matching entries appear in the log. If someone compromises your release process and signs a malicious package with your identity, you’ll know.
• Rust compiler and rust-clippy: Clippy is Rust’s official linting tool, offering over 750 lints to catch common mistakes. We contributed over 20 merged pull requests this year. For example, we extended the implicit_clone lint to handle to_string() calls, which let us deprecate the redundant string_to_string lint. We added replacement suggestions to disallowed_methods so that teams can suggest alternatives when flagging forbidden API usage, and we added path validation for disallowed_* configurations so that typos don’t silently disable lint rules. We also extended the QueryStability lint to handle IntoIterator implementations in rustc, which catches nondeterminism bugs in the compiler. The motivation came from a real issue we spotted: iteration order over hash maps was leaking into rustdoc’s JSON output.
• pyca/cryptography: pyca/cryptography is Python’s most widely used cryptography library, providing both high-level recipes and low-level interfaces to common algorithms. With funding from Alpha-Omega, we landed 28 pull requests this year. Our work was aimed at adding a new ASN.1 API, which lets developers define ASN.1 structures using Python decorators and type annotations instead of wrestling with raw bytes or external schema files. Read more in our blog post “Sneak peek: A new ASN.1 API for Python.”
• hevm: hevm is a Haskell implementation of the Ethereum Virtual Machine. It powers both the symbolic and concrete execution in Echidna, our smart contract fuzzer. We contributed 14 pull requests this year, mostly focused on performance: we added cost centers to individual opcodes to ease profiling, optimized memory operations, and made stack and program counter operations strict, which got us double-digit percentage improvements on concrete execution benchmarks. We also implemented cheatcodes like toString to improve hevm’s compatibility with Foundry.
• PyPI Warehouse: Warehouse powers the Python Package Index (PyPI), which serves over a billion package downloads per day. We continued our long-running collaboration with PyPI and Alpha-Omega, shipping project archival support so that maintainers can signal when packages are no longer actively maintained. We also cut the test suite runtime by 81%, from 163 to 30 seconds, even as test coverage grew to over 4,700 tests.
• pwndbg: pwndbg is a GDB and LLDB plugin that makes debugging and exploit development less painful. Last year, we packaged LLDB support for distributions and improved decompiler integration. We also contributed pull requests to other tools in the space, including pwntools, angr, and Binary Ninja’s API.

A merged pull request is the easy part. The hard part is everything maintainers do before and after: writing extensive documentation, keeping CI green, fielding bug reports, explaining the same thing to the fifth person who asks. We get to submit a fix and move on. They’re still there a year later, making sure it all holds together.

Thanks to everyone who shaped these contributions with us, from first draft to merge. See you next year.

Trail of Bits’ 2025 open-source contributions

AI/ML

• Repo: majiayu000/litellm-rs
  • By smoelius
    • #3: Specify Anthropic key with x-api-key header
• Repo: mlflow/mlflow
  • By Ninja3047
    • #18274: Fix type checking in truncation message extraction (#18249)
• Repo: simonw/llm
  • By dguido
    • #950: Add model_name parameter to OpenAI extra models documentation
• Repo: sst/opencode
  • By Ninja3047
    • #4549: tweak: Prefer VISUAL environment variable over EDITOR per Unix convention

Cryptography

• Repo: C2SP/x509-limbo
  • By woodruffw
    • #381: deps: pin oscrypto to a git ref
    • #382: dependabot: use groups
    • #385: add webpki::nc::nc-permits-dns-san-pattern
    • #386: chore: switch to uv
    • #387: chore: clean up the site a bit
    • #414: chore: fixup rustls-webpki API usage
    • #418: add openssl-3.5 harness
    • #419: perf: remove PEM bundles from site render
    • #420: pyca: harness: fix max_chain_depth condition
    • #434: chore(ci): arm64 runners, pinact
    • #435: mkdocs: disable search
    • #437: chore: bump limbo
    • #445: feat: add CRL builder API
    • #446: fix: avoid a redundant condition + bogus type ignore
• Repo: certbot/josepy
  • By woodruffw
    • #193: ci: don’t persist creds in check.yaml
• Repo: pyca/cryptography
  • By facutuesca
    • #12807: Update license metadata in pyproject.toml according to PEP 639
    • #13325: Initial implementation of ASN.1 API
    • #13449: Add decoding support to ASN.1 API
    • #13476: Unify ASN.1 encoding and decoding tests
    • #13482: asn1: Add support for bytes, str and bool
    • #13496: asn1: Add support for PrintableString
    • #13514: x509: rewrite datetime conversion functions
    • #13513: asn1: Add support for UtcTime and GeneralizedTime
    • #13542: asn1: Add support for OPTIONAL
    • #13570: Fix coverage for declarative_asn1/decode.rs
    • #13571: Fix some coverage for declarative_asn1/types.rs
    • #13573: Fix coverage for type_to_tag
    • #13576: Fix more coverage for declarative_asn1/types.rs
    • #13580: Fix coverage for pyo3::DowncastIntoError conversion
    • #13579: Fix coverage for declarative_asn1::Type variants
    • #13562: asn1: Add support for DEFAULT
    • #13735: asn1: Add support for IMPLICIT and EXPLICIT
    • #13894: asn1: Add support for SEQUENCE OF
    • #13899: asn1: Add support for SIZE to SEQUENCE OF
    • #13908: asn1: Add support for BIT STRING
    • #13985: asn1: Add support for IA5String
    • #13986: asn1: Add TODO comment for uses of PyStringMethods::to_cow
    • #13999: asn1: Add SIZE support to BIT STRING
    • #14032: asn1: Add SIZE support to OCTET STRING
    • #14036: asn1: Add SIZE support to UTF8String
    • #14037: asn1: Add SIZE support to PrintableString
    • #14038: asn1: Add SIZE support to IA5String
  • By woodruffw
    • #12253: x509/verification: allow DNS wildcard patterns to match NCs
• Repo: tamarin-prover/tamarin-prover
  • By arcz
    • #687: Refactor tamaring-prover-sapic
    • #686: Refactor tamarin-prover-accountability
    • #621: Refactor tamarin-prover package
    • #755: Refactor tamarin-prover-sapic records

Languages and compilers

• Repo: airbus-cert/tree-sitter-powershell
  • By woodruffw
    • #17: deps: bump tree-sitter to 0.25.2
• Repo: cdisselkoen/llvm-ir
  • By woodruffw
    • #69: lib: add missing llvm-19 case
• Repo: hyperledger-solang/solang
  • By smoelius
    • #1680: Fixes two elided_named_lifetimes warnings
    • #1788: Fix typo in codegen/dispatch/polkadot.rs
    • #1778: Check command statuses in build.rs
    • #1779: Fix two infinite loops in codegen
    • #1791: Fix typos in tests/polkadot.rs
    • #1793: Fix a small typo affecting Expression::GetRef
    • #1802: Rename binary to bin
    • #1801: Handle abi.encode() with empty args
    • #1800: Store Namespace reference in Binary
    • #1837: Silence mismatched_lifetime_syntaxes lint
• Repo: llvm/clangir
  • By wizardengineer
    • #1859: [CIR] Fix parsing of #cir.unwind and cir.resume for catch regions
    • #1861: [CIR] Added support for __builtin_ia32_pshufd
    • #1874: [CIR] Add CIRGenFunction::getTypeSizeInBits and use it for size computation
    • #1883: [CIR] Added support for __builtin_ia32_pslldqi_byteshift
    • #1964: [CIR] [NFC] Using types explicitly for pslldqi construct
    • #1886: [CIR] Add support for __builtin_ia32_psrldqi_byteshift
    • #2055: [CIR] Backport FileScopeAsm support from upstream
• Repo: rust-lang/rust
  • By smoelius
    • #139345: Extend QueryStability to handle IntoIterator implementations
    • #145533: Reorder lto options from most to least optimizing
    • #146120: Correct typo in rustc_errors comment

Libraries

• Repo: alex/rust-asn1
  • By facutuesca
    • #532: Make Parser::peek_tag public
    • #533: Re-add Parser::read_{explicit,implicit}_element methods
    • #535: Fix CHOICE docs to match current API
    • #563: Re-add Writer::write_{explicit,implicit}_element methods
    • #581: Release version 0.23.0
• Repo: bytecodealliance/wasi-rs
  • By smoelius
    • #103: Upgrade wit-bindgen-rt to version 0.39.0
• Repo: cargo-public-api/cargo-public-api
  • By smoelius
    • #831: Box<dyn ...> with two or more traits
• Repo: di/id
  • By woodruffw
    • #333: refactor: replace requests with urllib3
• Repo: di/pip-api
  • By woodruffw
    • #237: tox: add pip 25.0 to the test matrix
    • #240: _call: invoke pip with PYTHONIOENCODING=utf8
    • #242: tox: add pip 25.0.1 to the envlist
    • #247: tox: add pip 25.1.1 to test matrix
• Repo: fardream/go-bcs
  • By tjade273
    • #19: Fix unbounded upfront allocations
• Repo: frewsxcv/rust-crates-index
  • By smoelius
    • #189: Add git-https-reqwest feature
• Repo: luser/strip-ansi-escapes
  • By smoelius
    • #21: Upgrade vte to version 0.14
• Repo: psf/cachecontrol
  • By woodruffw
    • #350: chore: prep 0.14.2
    • #352: tests: explicitly GC for PyPy in test_do_not_leak_response
    • #379: chore(ci): fix pins with gha-update
    • #381: chore: drop python 3.8 support, prep for release
• Repo: tafia/quick-xml
  • By Ninja3047
    • #904: Implement serializing CDATA

Tech infrastructure

• Repo: Homebrew/homebrew-core
  • By elopez
    • #206517: slither-analyzer 0.11.0
    • #254439: slither-analyzer: bump python resources
  • By woodruffw
    • #206391: sickchill: bump Python resources
    • #206675: ci: switch to SSH signing everywhere
    • #222973: zizmor: add tab completion
• Repo: NixOS/nixpkgs
  • By elopez
    • #421573: libff: remove boost dependency
    • #442246: echidna: 2.2.6 -> 2.2.7
    • #445662: libff: update cmake version
    • #445678: btor2tools: 0-unstable-2024-08-07 -> 0-unstable-2025-09-18
• Repo: google/oss-fuzz
  • By ret2libc
    • #14080: projects/libpng: make sure master branch is used
    • #14178: infra/helper: pass the right arguments to docker_run in reproduce_impl
• Repo: microsoft/vcpkg
  • By ekilmer
    • #45458: [abseil] Add feature “test-helpers”
• Repo: microsoft/vcpkg-tool
  • By ekilmer
    • #1602: Check errno after waitpid for EINTR
    • #1744: [spdx] Add installed package files to SPDX SBOM file

Software testing tools

• Repo: AFLplusplus/AFLplusplus
  • By smoelius
    • #2319: Add fflush(stdout); before abort call
    • #2408: Color AFL_NO_UI output
• Repo: advanced-security/monorepo-code-scanning-action
  • By Vasco-jofra
    • #61: Only republish SARIFs from valid projects
    • #58: Add support for passing tools to codeql-action/init
• Repo: github/codeql
  • By Vasco-jofra
    • #19762: Improve TypeORM model
    • #19769: Improve NestJS sources and dependency injection
    • #19768: Add lodash GroupBy as taint step
    • #19770: Improve data flow in the async package
  • By mschwager
    • #20101: Fix #19294, Ruby NetHttpRequest improvements
• Repo: oli-obk/ui_test
  • By smoelius
    • #352: Fix typo in parser.rs
• Repo: pypa/abi3audit
  • By woodruffw
    • #134: ci: set some default empty permissions
• Repo: rust-fuzz/cargo-fuzz
  • By smoelius
    • #423: Update tempfile to version 3.10.1
    • #424: Update is-terminal to version 0.4.16
• Repo: rust-lang/cargo
  • By smoelius
    • #15201: Typo: “explicitally” -> “explicitly”
    • #15204: Typo: “togother” -> “together”
    • #15208: fix: reset $CARGO if the running program is real cargo[.exe]
    • #15698: Fix potential deadlock in CacheState::lock
    • #15841: Reorder lto options in profiles.md
• Repo: rust-lang/rust-clippy
  • By smoelius
    • #13894: Move format_push_string and format_collect to pedantic
    • #13669: Two improvements to disallowed_*
    • #13893: Add unnecessary_debug_formatting lint
    • #13931: Add ignore_without_reason lint
    • #14280: Rename inconsistent_struct_constructor configuration; don’t suggest deprecated configurations
    • #14376: Make visit_map happy path more evident
    • #14397: Validate paths in disallowed_* configurations
    • #14529: Fix a typo in derive.rs comment
    • #14733: Don’t warn about unloaded crates
    • #14360: Add internal lint derive_deserialize_allowing_unknown
    • #15090: Fix typo in tests/ui/missing_const_for_fn/const_trait.rs
    • #15357: Fix typo non_std_lazy_statics.rs
    • #14177: Extend implicit_clone to handle to_string calls
    • #15440: Correct needless_borrow_for_generic_args doc comment
    • #15592: Commas to semicolons in clippy.toml reasons
    • #15862: Allow explicit_write in tests
    • #16114: Allow multiline suggestions in map-unwrap-or
• Repo: rust-lang/rustup
  • By smoelius
    • #4201: Add TryFrom<Output> for SanitizedOutput
    • #4200: Do not append EXE_SUFFIX in Config::cmd
    • #4203: Have mocked cargo better adhere to cargo conventions
    • #4516: Fix typo in clitools.rs comment
    • #4518: Set RUSTUP_TOOLCHAIN_SOURCE
    • #4549: Expand RUSTUP_TOOLCHAIN_SOURCE’s documentation
• Repo: zizmorcore/zizmor
  • By DarkaMaul
    • #496: Downgrade tracing-indicatif

Blockchain software

• Repo: anza-xyz/agave
  • By smoelius
    • #6283: Fix typo in cargo-install-all.sh
• Repo: argotorg/hevm
  • By elopez
    • #612: Cleanups in preparation of GHC 9.8
    • #663: tests: run evm on its own directory
    • #707: Optimize memory representation and operations
    • #729: Optimize maybeLit{Byte,Word,Addr}Simp and maybeConcStoreSimp
    • #738: Fix Windows CI build
    • #744: Add benchmarking with Solidity examples
    • #737: Use Storable vectors for memory
    • #760: Avoid fixpoint for literals and concrete storage
    • #789: Optimized OpSwap
    • #803: Add cost centers to opcodes, optimize
    • #808: Optimize word256Bytes, word160Bytes
    • #838: Implement toString cheatcode
    • #846: Bump dependency upper bounds
    • #883: Fix GHC 9.10 warnings
• Repo: hellwolf/solc.nix
  • By elopez
    • #21: Update references to solc-bin and solidity repositories
• Repo: rappie/fuzzer-gas-metric-benchmark
  • By elopez
    • #1: Unify benchmarking code to avoid differences between tools

Reverse engineering tools

• Repo: Gallopsled/pwntools
  • By Ninja3047
    • #2527: Allow setting debugger path via context.gdb_binary
    • #2546: ssh: Allow passing disabled_algorithms keyword argument from ssh to paramiko
    • #2602: Allow setting debugger path via context.gdb_binary
• Repo: Vector35/binaryninja-api
  • By ekilmer
    • #6822: cmake: binaryninjaui depends on binaryninjaapi
  • By ex0dus-0x
    • #7123: [Rust] Make fields of LookupTableEntry public
• Repo: angr/angr
  • By Ninja3047
    • #5665: Check that jump_source is not None
• Repo: angr/angrop
  • By bkrl
    • #124: Implement ARM64 support and RiscyROP chaining algorithm
• Repo: frida/frida-gum
  • By Ninja3047
    • #1075: Support data exports on Windows
• Repo: jonpalmisc/screenshot_ninja
  • By Ninja3047
    • #4: Fix api deprecation
• Repo: pwndbg/pwndbg
  • By Ninja3047
    • #2916: Fix parsing gaps in command line history
    • #2920: Bump zig in nix devshell to 0.13.1
    • #2925: Add editable pwndbg into the nix devshell
    • #2928: Use nixfmt-tree instead of calling the nixfmt-rfc-style directly
    • #3194: fix: exec -a is not posix compliant
    • #3195: Package lldb for distros
  • By arcz
    • #2942: Update development with Nix docs
    • #3314: Fix lldb fzf startup prompt
• Repo: quarkslab/quokka
  • By DarkaMaul
    • #42: Update release.yml to use TP and more modern packaging solutions
    • #43: Add dependabot
    • #46: Add zizmor action
    • #30: Allow build on MacOS (MX)
    • #48: Fix zizmor alerts
    • #63: Update LLVM ref to LLVM@18
    • #66: chore: pin GitHub Actions to SHA hashes for security

Software analysis/transformation tools

• Repo: pygments/pygments
  • By DarkaMaul
    • #2819: Add CodeQL lexer
• Repo: quarkslab/bgraph
  • By DarkaMaul
    • #8: Archive project

Packaging ecosystem/supply chain

• Repo: Homebrew/.github
  • By woodruffw
    • #247: actionlint: bump upload-sarif to v3.28.5
    • #253: ci: switch to SSH signing
• Repo: Homebrew/actions
  • By woodruffw
    • #645: setup-commit-signing: move to SSH signing
    • #646: setup-commit-signing: update README examples
    • #648: ci: switch to SSH signing
    • #654: setup-commit-signing: remove GPG signing support
    • #682: Revert “*/README.md: note GitHub recommends pinning actions.”
• Repo: Homebrew/brew
  • By woodruffw
    • #19230: ci: switch to SSH signing everywhere
    • #19217: dev-cmd: add brew verify
    • #19250: utils/pypi: warn when pypi_info fails due to missing sources
• Repo: Homebrew/brew-pip-audit
  • By woodruffw
    • #161: ci: ssh signing
    • #191: add pr_title
• Repo: Homebrew/brew.sh
  • By woodruffw
    • #1125: _posts: add git signing post
• Repo: Homebrew/homebrew-cask
  • By woodruffw
    • #200760: ci: switch to SSH based signing
• Repo: Homebrew/homebrew-command-not-found
  • By woodruffw
    • #213: update-database: switch to SSH signing
• Repo: PyO3/maturin
  • By woodruffw
    • #2429: ci: don’t enable sccache on tag refs
• Repo: conda/schemas
  • By facutuesca
    • #76: Add schema for publish attestation predicate
• Repo: ossf/wg-securing-software-repos
  • By woodruffw
    • #57: fix: replace job_workflow_ref with workflow_ref
    • #58: chore: bump date in trusted-publishers-for-all-package-repositories.md
• Repo: pypa/gh-action-pip-audit
  • By woodruffw
    • #54: ci: zizmor fixes, add zizmor workflow
    • #57: chore(ci): fix minor zizmor permissions findings
• Repo: pypa/gh-action-pypi-publish
  • By woodruffw
    • #347: oidc-exchange: include environment in rendered claims
    • #359: deps: bump pypi-attestations to 0.0.26
• Repo: pypa/packaging.python.org
  • By woodruffw
    • #1803: simple-repository-api: bump, explain api-version
    • #1808: simple-repository-api: clean up, add API history
    • #1810: simple-repository-api: clean up PEP 658/PEP 714 bits
    • #1859: guides: remove manual Sigstore steps from publishing guide
• Repo: pypa/pip-audit
  • By woodruffw
    • #875: pyproject: drop setuptools from lint dependencies
    • #878: Remove two groups of resource leaks
    • #879: chore: prep 2.8.0
    • #888: PEP 751 support
    • #890: chore: prep 2.9.0
    • #891: chore: metadata cleanup
• Repo: pypa/twine
  • By woodruffw
    • #1214: Update changelog for 6.1.0
    • #1229: deps: bump keyring to >=21.2.0
    • #1239: ci: apply fixes from zizmor
    • #1240: bugfix: utils: catch configparser.Error
• Repo: pypi/pypi-attestations
  • By facutuesca
    • #82: Add pypi-attestations verify pypi CLI subcommand
    • #83: chore: prep 0.0.21
    • #86: cli: Support verifing *.slsa.attestation attestation files
    • #87: cli: Support friendlier syntax for verify pypi command
    • #98: Support local files in verify pypi subcommand
    • #103: Simplify test assets and include them in package
    • #104: Add API and CLI option for offline (no TUF refresh) verification
    • #105: Add CLI subcommand to convert Sigstore bundles to attestations
    • #119: Add pull request template
    • #120: Update license fields in pyproject.toml
    • #128: chore: prep v0.0.27
    • #145: chore: prep v0.0.28
    • #151: Fix lint and remove support for Python 3.9
    • #150: Add cooldown to dependabot updates
    • #152: Add zizmor to CI
    • #153: Remove unneeded permissions from zizmor workflow
  • By woodruffw
    • #94: _cli: make reformat
    • #99: chore: prep v0.0.22
    • #109: bugfix: impl: require at least one of the source ref/sha extensions
    • #110: pypi_attestations: bump version to 0.0.23
    • #114: feat: add support for Google Cloud-based Trusted Publishers
    • #115: chore: prep for release v0.0.24
    • #118: chore: release: v0.0.25
    • #122: chore(ci): uvx gha-update
    • #124: fix: remove ultranormalization of distribution filenames
    • #125: chore: prep for release v0.0.26
    • #127: bugfix: compare distribution names by parsed forms
• Repo: pypi/warehouse
  • By DarkaMaul
    • #17463: Fix typo in PEP625 email
    • #17472: Add published column
    • #17512: Use zizmor from PyPI
    • #17513: Update workflows
  • By facutuesca
    • #17391: docs: add details of how to verify provenance JSON files
    • #17438: Add archived badges to project’s settings page
    • #17484: Add blog post for archiving projects
    • #17532: Simplify archive/unarchive UI buttons
    • #17405: Improve error messages when a pending Trusted Publisher’s project name already exists
    • #17576: Check for existing Trusted Publishers before constraining existing one
    • #18168: Add workaround in dev docs for issue with OpenSearch image
    • #18221: chore(deps): bump pypi-attestations from 0.0.26 to 0.0.27
    • #18169: oidc: Refactor lookup strategies into single functions
    • #18338: oidc: fix bug when matching GitLab environment claims
    • #18884: Update URL for pypi-attestations repository
    • #18888: Update pypi-attestations to v0.0.28
  • By woodruffw
    • #17453: history: render project archival enter/exit events
    • #17498: integrity: refine Accept header handling
    • #17470: metadata: initial PEP 753 bits
    • #17514: docs/api: clean up Upload API docs slightly
    • #17571: profile: add archived projects section
    • #17716: docs: new and shiny storage limit docs
    • #17913: requirements: bump pypi-attestations to 0.0.23
    • #18113: chore(docs): add social links for Mastodon and Bluesky
    • #18163: docs(dev): add meta docs on writing docs
    • #18164: docs: link to PyPI user docs more
• Repo: python/peps
  • By woodruffw
    • #4356: Infra: Make PEP abstract extration more robust
    • #4432: PEP 792: Project status markers in the simple index
    • #4455: PEP 792: add Discussions-To link
    • #4457: PEP 792: clarify index API changes
    • #4463: PEP 792: additional review feedback
• Repo: sigstore/architecture-docs
  • By woodruffw
    • #42: specs: add algorithm-registry.md
    • #44: client-spec: reflow, fix more links
    • #46: PGI spec: fix Rekor/Fulcio spec links
• Repo: sigstore/community
  • By ret2libc
    • #623: Enforce branches up to date to avoid merging errors
  • By woodruffw
    • #582: sigstore: add myself to architecture-doc-team
• Repo: sigstore/cosign
  • By ret2libc
    • #4111: cmd/cosign/cli: fix typo in ignoreTLogMessage
    • #4050: Remove SHA256 assumption in sign-blob/verify-blob
• Repo: sigstore/fulcio
  • By ret2libc
    • #1938: Allow configurable client signing algorithms
    • #1959: Proof of Possession agility
• Repo: sigstore/gh-action-sigstore-python
  • By woodruffw
    • #160: ci: cleanup, fix zizmor findings
    • #161: README: add a notice about whether this action is needed
    • #165: chore: hash-pin everything
    • #183: chore: prep 3.0.1
• Repo: sigstore/protobuf-specs
  • By ret2libc
    • #572: protos/PublicKeyDetails: add compatibility algorithms using SHA256
  • By woodruffw
    • #467: use Pydantic dataclasses for Python bindings
    • #468: pyproject: prep 0.3.5
    • #595: docs: rm algorithm-registry.md
• Repo: sigstore/rekor
  • By ret2libc
    • #2429: pkg/api: better logs when algorithm registry rejects a key
• Repo: sigstore/rekor-monitor
  • By facutuesca
    • #685: Fix Makefile and README
    • #689: Make CLI args for configuration path/string mutually exclusive
    • #688: Add support for CT log entries with Precertificates
    • #695: Fetch public keys using TUF
    • #705: Initial support for Rekor v2
    • #729: Handle sharding of Rekor v2 log while monitor runs
    • #752: Use int64 for index types
    • #751: Add identity monitoring for Rekor v2
    • #827: Add cooldown to dependabot updates
    • #828: Update codeql-action
  • By ret2libc
    • #717: ci: wrap inputs.config in ct_reusable_monitoring
    • #718: doc: correct usage of ct log monitoring workflow
    • #724: pkg/rekor: handle signals inside long op GetEntriesByIndexRange
    • #723: Deduplicate ct/rekor monitoring reusable workflows
    • #725: Refactor IdentitySearch logic between ct and rekor
    • #726: Deduplicate ct and rekor monitors
    • #727: Fix once behaviour
    • #730: cmd/rekor_monitor: accept custom TUF
    • #736: pkg/notifications: make Notifications more customazible
    • #739: Add a few tests for the main monitor loop
    • #742: internal/cmd/common_test: fix TestMonitorLoop_BasicExecution
    • #741: Add config validation
    • #743: Fix monitor loop behaviour when using once without a prev checkpoint
    • #738: Report failed entries
    • #745: internal/cmd: fix common tests after merging
    • #740: Split the consistency check and the checkpoint writing
    • #746: cmd: fix WriteCheckpointFn when no previous checkpoint
    • #748: Small refactoring
    • #749: internal/cmd: Use interface instead of callbacks
    • #750: internal/cmd: remove unused MonitorLoopParams struct
    • #763: pkg/util/file: write only one checkpoint
    • #764: Add trusted CAs for filtering matched identities
    • #771: Fix bug with missing entries when regex were used
    • #773: pkg/identity: simplify CreateMonitoredIdentities function
    • #770: Check Certificate chain in CTLogs
    • #777: Refactor IdentitySearch args
    • #776: ci: add release workflow
    • #778: Parsable output
    • #786: Improve README by explaining config file
• Repo: sigstore/rekor-tiles
  • By facutuesca
    • #479: Make verifier pkg public
• Repo: sigstore/sigstore
  • By ret2libc
    • #1981: pkg/signature: fix RSA PSS 3072 key size in algorithm registry
    • #2001: pkg/signature: expose Algorithm Details information
    • #2014: Implement default signing algorithms based on the key type
    • #2037: pkg/signature: add P384/P521 compatibility algo to algorithm registry
• Repo: sigstore/sigstore-conformance
  • By woodruffw
    • #176: handle different certificate fields correctly
    • #199: action: bump cpython-release-tracker
    • #200: README: prep for v0.0.17 release
• Repo: sigstore/sigstore-go
  • By facutuesca
    • #506: Update GetSigningConfig to use signing_config.v0.2.json
  • By ret2libc
    • #433: pkg/root: fix typo in nolint annotation
    • #424: Use default Verifier for the public key contained in a certificate (closes #74)
• Repo: sigstore/sigstore-python
  • By woodruffw
    • #1283: ci: fix offline tests on ubuntu-latest
    • #1293: ci: remove dependabot + gomod, always fetch latest
    • #1310: docs: clarify Verifier APIs
    • #1450: chore(deps): bump rfc3161-client to >= 1.0.3
    • #1451: Backport #1450 to 3.6.x
    • #1452: chore: prep 3.6.4
    • #1453: chore: forward port changelog from 3.6.4
• Repo: sigstore/sigstore-rekor-types
  • By dguido
    • #219: Upgrade to Python 3.9 and update to Rekor v1.4.0
  • By woodruffw
    • #169: chore(ci): pin everywhere, drop perms
• Repo: synacktiv/DepFuzzer
  • By thomas-chauchefoin-tob
    • #11: Switch boolean args to flags
    • #12: Use MX records to validate email domains
    • #13: Fix empty author_email handling for PyPI
    • #15: Detect disposable providers in maintainer emails
• Repo: wolfv/ceps
  • By woodruffw
    • #5: add cep for sigstore
    • #6: sigstore-cep: rework Discussion and Future Work sections
    • #7: Sigstore CEP: address additional feedback

Others

• Repo: AzureAD/microsoft-authentication-extensions-for-python
  • By DarkaMaul
    • #144: Add missing import in token_cache_sample
• Repo: SchemaStore/schemastore
  • By woodruffw
    • #4635: github-workflow: workflow_call.secrets.*.required is not required
    • #4637: github-workflow: trigger types can be an array or a scalar string
• Repo: google/gvisor
  • By ret2libc
    • #12325: usertrap: disable syscall patching when ptraced
• Repo: oli-obk/cargo_metadata
  • By smoelius
    • #295: Update cargo-util-schemas to version 0.8.1
    • #305: Proposed -Zbuild-dir fix
    • #304: Add newtype wrapper
    • #307: Bump version
• Repo: ossf/alpha-omega
  • By woodruffw
    • #454: PyPI: record 2024-12
    • #468: engagements: add PyCA
    • #467: pypi: add January 2025 update (#2025)
    • #478: engagements: update PyPI and PyCA for February 2025
    • #487: PyPI, PyCA: March 2025 updates
    • #499: PyPI, PyCA: April 2025 updates
• Repo: rustsec/advisory-db
  • By DarkaMaul
    • #2169: Protobuf DoS
  • By smoelius
    • #2289: Withdraw RUSTSEC-2022-0044