Community Blog

Seth Larson

Seth Larson — PSF Security Developer-in-Residence

Python security and open source infrastructure, plus retro gaming preservation and emulation.

I paid $50 plus shipping on eBay for this PNG. This is the closest I'll get to NFTs.
Read the full post

Seth Larson is the Python Software Foundation's first Security Developer-in-Residence, and his blog reflects exactly the kind of mind that job requires — someone who can write a serious PEP on software supply chain security one week and spend the next extracting hidden JPEG files from GameCube ROMs. His posts alternate between deep Python ecosystem work and delightfully nerdy side projects involving retro games, QR codes, and Unicode oddities.

Written by Seth Larson.

About This Blog

Game Development Security & Privacy Open Source Programming

Activity

Regular

Publishes weekly or bi-weekly

Followers

Full Content

RSS feed includes complete post content for reading in-app

Proxy Required

Feed is fetched through our proxy for browser compatibility

Proxy Post Links

Post pages are loaded through our proxy for compatibility

Embeddable

Posts can be displayed inline in the reader view

“The Legend of Zelda: Link’s Awakening” respects your time

February 28, 2026

I played “The Legend of Zelda: Link’s Awakening” for the first time in January and early February. The game took me 13 hours to complete the main story and a few optional side quests. I started playing the game on Nintendo Classics for the Game Boy Color, but then remembered there was a Nintendo Switch remake. I bought the game for $30 on eBay and three days later was playing again....

Deprecate confusing APIs like “os.path.commonprefix()”

February 27, 2026

The os.path.commonprefix() function has been an API in the Python standard library for at least 35 years (since February 1991) and in that time has been confusing users and creating security issues, even in programs explicitly trying to mitigate vulnerabilities. This was caused directly by the API's placement in the os.path module and further perpetuated by backwards compatibility. Here are my top-level takeaways from investigating this issue: Weigh surprise and potential for misuse higher...

Respecting maintainer time should be in security policies

February 24, 2026

Generative AI tools becoming more common means that vulnerability reports these days are loooong. If you're an open source maintainer, you unfortunately know what I'm talking about. Markdown-formatted, more than five headings, similar in length to a blog post, and characterized as a vulnerability worthy of its own domain name. This makes triaging vulnerabilities by often under-resourced maintainer more difficult, time-consuming, and stressful. Whether a report is a genuine vulnerability or not,...

Automated public shaming of open source maintainers

February 12, 2026

This is a follow-up to “New era of slop security reports for open source”. Matplotlib, the unfortunate target of this new type of harassment, publishes a clear generative AI use policy. That boundary was not respected by generative AI users and a pull request was opened by an OpenClaw agent. If the website the agent's GitHub comment links to is any indication, within 4 days of deployment this agent generated a “take-down blog post” intended to publicly shame an open source maintainer (who ha...

Cooler Analytics

February 11, 2026

You don't need analytics on your blog, but maybe you need analytics for your cooler? The last place you’d expect to find analytics. Last Sunday was the Superbowl in the USA, where former Vikings quarterback Sam Darnold and the Seahawks trounced the Patriots 29–13. We were also reminded who the top players are in the USA economy. Surprise, it's still generative AI, cryptocurrencies, sports betting, and surveillance. Anyway, Trina and I hosted a Superbowl watch-party and I take pride in...

Similar Blogs

If you enjoy Seth Larson, you might also like these blogs.