From c7e0d088d53cb5243e9d5ded4abb55c9cc3d1651 Mon Sep 17 00:00:00 2001
From: Paul Duncan <pabs@pablotron.org>
Date: Sun, 16 Nov 2025 11:57:38 -0500
Subject: TODO.md: add ideas

---
 TODO.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/TODO.md b/TODO.md
index 4986807..4f48455 100644
--- a/TODO.md
+++ b/TODO.md
@@ -19,6 +19,7 @@
 - wkd for pgp
 - home: rename "Archived Posts..." to "Older Posts"
 - archive: rename "Archived Posts..." to "Older Posts"
+- index with pagefind: (<https://pagefind.app/>, <https://www.tbray.org/ongoing/When/202x/2025/11/01/Blog-Search-Pagefind>)
 
 ## linting
 - replace `<img>` in old posts with `{{< figure >}}` (partial work
@@ -145,6 +146,9 @@
     <https://blog.tidelift.com/the-state-of-package-signing-across-package-managers>
   - declarative install (go)
     rationale: <https://blog.phylum.io/phylum-discovers-dozens-more-pypi-packages-attempting-to-deliver-w4sp-stealer-in-ongoing-supply-chain-attack>
+    - counterexamples:
+      - rubygems (arbitrary ruby)
+      - rust (arbitrary rust in `build.rs`)
   - typosquatting (see sqo vulns from may email)
   - starsquatting (requests, phpass): https://medium.com/checkmarx-security/typosquatting-attack-on-requests-one-of-the-most-popular-python-packages-3b0a329a892d
   - ref: https://kerkour.com/rust-crate-backdoor
@@ -238,6 +242,7 @@
 - heat pump (pictures/heat-pump-20220930)
 - <https://insideevs.com/news/509767/tesla-model3-control-arm-fix/>
 - `curl|bash` is madness
+  - vulnerable to clickfix: <https://arstechnica.com/security/2025/11/clickfix-may-be-the-biggest-security-threat-your-family-has-never-heard-of/>
 - gosec vs govulncheck
   https://github.com/securego/gosec
   https://www.pixelstech.net/article/1667102060-Secure-Your-Go-Code-With-Vulnerability-Check-Tool
@@ -669,6 +674,7 @@
   <https://www.jwz.org/blog/2024/06/your-personal-information-is-very-important-to-us/>
 - <https://arstechnica.com/gadgets/2024/08/nova-launcher-savior-of-cruft-filled-android-phones-is-on-life-support/>
 - software: <https://www.lawfaremedia.org/article/the-crowdstrike-outage-and-market-driven-brittleness>
+- <https://github.com/C2SP/wycheproof>
 
 ## done
 - add project folders
-- 
cgit v1.2.3