|
178 | 178 |
|
179 | 179 | 00:07:13 It's a user of your lib three. |
180 | 180 |
|
181 | | -00:07:15 And then in addition to that, I have a library, which I quite love, which is called trustor, which is being adopted by a lot of package managers right now, like pip and conda and and PDM, which allows those packages to use system certificates as opposed to something like certify, so that you can take advantage of all of the benefits that you get for using a system trust store for HTTPS, as opposed to like a static bundle of certificates, because operating systems are actually constantly checking, updating all of these things. |
| 181 | +00:07:15 And then in addition to that, I have a library, which I quite love, which is called truststore, which is being adopted by a lot of package managers right now, like pip and conda and and PDM, which allows those packages to use system certificates as opposed to something like certify, so that you can take advantage of all of the benefits that you get for using a system trust store for HTTPS, as opposed to like a static bundle of certificates, because operating systems are actually constantly checking, updating all of these things. |
182 | 182 |
|
183 | 183 | 00:07:47 It's just a little bit better. |
184 | 184 |
|
|
224 | 224 |
|
225 | 225 | 00:09:17 And what I really do is try my best to make it so that bad stuff doesn't happen to Python users. |
226 | 226 |
|
227 | | -00:09:25 And so, you know, obviously those things are important, like securing Python, the actual code itself. But on, like, the scale factor, maybe those are a little bit less important than some things like making sure that when you download something from Python.org, it is the correct thing. Making sure that when a release is happening for Python, nothing can subvert that release and get injected in and then distributed to everyone. And then it goes beyond Python when you start thinking about the packaging space. So making sure that hip release process is good. Making sure that all of these tools and stuff that are using all of these binary libraries, how can you be sure that those libraries that are bundled along with them don't don't have vulnerabilities. And then a lot of things around process. So vulnerability management and making sure that vulnerabilities that are discovered in Python and reported to us, they actually get to the end of the process where they're fixed and released. |
| 227 | +00:09:25 And so, you know, obviously those things are important, like securing Python, the actual code itself. But on, like, the scale factor, maybe those are a little bit less important than some things like making sure that when you download something from Python.org, it is the correct thing. Making sure that when a release is happening for Python, nothing can subvert that release and get injected in and then distributed to everyone. And then it goes beyond Python when you start thinking about the packaging space. So making sure that pip release process is good. Making sure that all of these tools and stuff that are using all of these binary libraries, how can you be sure that those libraries that are bundled along with them don't have vulnerabilities. And then a lot of things around process. So vulnerability management and making sure that vulnerabilities that are discovered in Python and reported to us, they actually get to the end of the process where they're fixed and released. |
228 | 228 |
|
229 | 229 | 00:10:24 There's just a whole bunch of things like that where it's more of a scale and safety and making sure that my effort goes towards things that are going to keep on churning as opposed to things that are like spot fixes. Because spot fixes, they're important, but they don't have the scale and they don't have that, like, keep on giving you the value aspect of them. |
230 | 230 |
|
|
284 | 284 |
|
285 | 285 | 00:11:37 - Okay. |
286 | 286 |
|
287 | | -00:11:38 A quick question from the audience here on the live stream, you know, Louis asks, is there a visibility or will there be a public visibility for CVEs in packages? |
| 287 | +00:11:38 A quick question from the audience here on the live stream, you know, Lewis asks, is there a visibility or will there be a public visibility for CVEs in packages? |
288 | 288 |
|
289 | 289 | 00:11:47 That is an excellent question. |
290 | 290 |
|
|
300 | 300 |
|
301 | 301 | 00:12:03 So the, the, I'll start off with stuff that I did not personally do, but I'm helping maintain now. |
302 | 302 |
|
303 | | -00:12:08 which is there is an advisory database called, if you go on GitHub, it's github.com/pypa/advisorydatabase with a dash in between advisory and database. |
| 303 | +00:12:08 which is there is an advisory database called, if you go on GitHub, it's github.com/pypa/advisory-database with a dash in between advisory and database. |
304 | 304 |
|
305 | 305 | 00:12:22 And that database is essentially trying to categorize all of the CVEs and what versions they affect for every single package on the Python package index, which is an impossible task, but so we're trying our best there. |
306 | 306 |
|
|
484 | 484 |
|
485 | 485 | 00:21:17 I mean, we'll come back to the release process, but I do want to ask you about this is One of the challenges I see is like, I got to depend about a warning. |
486 | 486 |
|
487 | | -00:21:24 Luckily, it was for basically the requirements-dev side, not the true requirement. |
| 487 | +00:21:24 Luckily, it was for basically the requirements-dev side, not the tool requirement. |
488 | 488 |
|
489 | 489 | 00:21:31 You know, like I'm going to use a bunch more tools to do like Jupyter stuff on my data, but I'm really just running a website and there's like a much smaller, well, a smaller set of things on there. |
490 | 490 |
|
|
538 | 538 |
|
539 | 539 | 00:25:04 Yeah. |
540 | 540 |
|
541 | | -00:25:05 I, I can relate to Frank here who writes with 1.3 thousand or 1,300 dependencies in our project because of this dependencies are at all times. |
| 541 | +00:25:05 I, I can relate to Frank here who writes with 1.3 thousand or 1,300 dependencies in our project because of this dependencies are hell at all times. |
542 | 542 |
|
543 | 543 | 00:25:15 Yeah. |
544 | 544 |
|
|
618 | 618 |
|
619 | 619 | 00:27:05 Yeah. |
620 | 620 |
|
621 | | -00:27:05 The stakes are higher when you attach the internet to anything, but when it's like a local script, it's just tail your log file and his request, request, hack, hack, request, attempted hack requests. |
| 621 | +00:27:05 The stakes are higher when you attach the internet to anything, but when it's like a local script, it's just cail your log file and his request, request, hack, hack, request, attempted hack requests. |
622 | 622 |
|
623 | 623 | 00:27:16 It's just WP log in. |
624 | 624 |
|
|
708 | 708 |
|
709 | 709 | 00:28:56 let's see. |
710 | 710 |
|
711 | | -00:28:58 Please note how pep one Oh one replaces pep one or two time traveling was invented there. |
| 711 | +00:28:58 Please note how pep 101 replaces pep 102 time traveling was invented there. |
712 | 712 |
|
713 | 713 | 00:29:03 What is it? |
714 | 714 |
|
|
718 | 718 |
|
719 | 719 | 00:29:04 It's I wanted to comment on that too. |
720 | 720 |
|
721 | | -00:29:06 It said replaces pep one Oh two. |
| 721 | +00:29:06 It said replaces pep 102. |
722 | 722 |
|
723 | | -00:29:08 And I wonder if it was more like a, Oh, we should just use one Oh one sort of situation. |
| 723 | +00:29:08 And I wonder if it was more like a, Oh, we should just use 101 sort of situation. |
724 | 724 |
|
725 | 725 | 00:29:14 Well, I think this is doing micro releases, right? |
726 | 726 |
|
|
788 | 788 |
|
789 | 789 | 00:30:58 A lot going on here. |
790 | 790 |
|
791 | | -00:30:59 You need some, you need some mandor control plus on it. |
| 791 | +00:30:59 You need some, you need some commandor control plus on it. |
792 | 792 |
|
793 | 793 | 00:31:01 Yep. |
794 | 794 |
|
|
798 | 798 |
|
799 | 799 | 00:31:03 So in the very beginning, what happens is essentially the release manager decides it's time to make a release. |
800 | 800 |
|
801 | | -00:31:10 It'll be right now. |
| 801 | +00:31:10 It'll be live right now. |
802 | 802 |
|
803 | 803 | 00:31:12 So we're, we're deciding, okay, we're going to make a release. |
804 | 804 |
|
|
1086 | 1086 |
|
1087 | 1087 | 00:43:02 Yeah, no. |
1088 | 1088 |
|
1089 | | -00:43:04 And so then after all of those things kind of happen, there's this stage in, you know, there's a stop, stop, stop line in the, pep one-on-one that just basically says for the release manager to wait for everyone to be done with their thing. |
| 1089 | +00:43:04 And so then after all of those things kind of happen, there's this stage in, you know, there's a stop, stop, stop line in the, pep 101 that just basically says for the release manager to wait for everyone to be done with their thing. |
1090 | 1090 |
|
1091 | 1091 | 00:43:17 And then once everyone's done with their thing and has uploaded everything to to python.org, there's basically this phase of testing everything. |
1092 | 1092 |
|
|
1378 | 1378 |
|
1379 | 1379 | 00:54:14 Like it's hard to leverage, but if you could just say in your threads, new interpreter for this bit, right? |
1380 | 1380 |
|
1381 | | -00:54:19 All of a sudden you escape the gill for computational stuff. |
| 1381 | +00:54:19 All of a sudden you escape the GIL for computational stuff. |
1382 | 1382 |
|
1383 | 1383 | 00:54:23 That'd be pretty interesting. |
1384 | 1384 |
|
|
1442 | 1442 |
|
1443 | 1443 | 00:55:11 Tons of fixes and improvements. |
1444 | 1444 |
|
1445 | | -00:55:13 Mike Feeler out in the audience says Python dash M, SQLite 3 is nifty. |
| 1445 | +00:55:13 Mike Fiedler out in the audience says Python dash M, SQLite 3 is nifty. |
1446 | 1446 |
|
1447 | 1447 | 00:55:17 Mike, you're going to have to tell me more about this. |
1448 | 1448 |
|
|
1590 | 1590 |
|
1591 | 1591 | 00:58:25 There we go. |
1592 | 1592 |
|
1593 | | -00:58:25 Multi-villain admitting. |
| 1593 | +00:58:25 Multiple editing. |
1594 | 1594 |
|
1595 | 1595 | 00:58:27 We haven't talked about S bombs, but seamlessly reuse here. |
1596 | 1596 |
|
|
1608 | 1608 |
|
1609 | 1609 | 00:58:59 Yeah, no, I think the biggest so in terms of like, what can you personally do? Because like, there's just I just talked about so much stuff that is just kind of happening in the background. |
1610 | 1610 |
|
1611 | | -00:59:08 But there's also stuff that like individual people can do. And the most impactful URL that you can visit for security, if you're an open source consumer or like a maintainer, like it doesn't matter, this is just gonna be impactful if you work in software is best dot open ssf.org. So So that is basically just like a web page and it just has a few URLs and you click into any of those URLs and it just gives you like a checklist of your things to think about here's and then if you click into those checklist items, it gives you it's kind of like this recursive nice, like guiding force of like, here's the things you could be doing, right? |
| 1611 | +00:59:08 But there's also stuff that like individual people can do. And the most impactful URL that you can visit for security, if you're an open source consumer or like a maintainer, like it doesn't matter, this is just gonna be impactful if you work in software is best.open ssf.org. So So that is basically just like a web page and it just has a few URLs and you click into any of those URLs and it just gives you like a checklist of your things to think about here's and then if you click into those checklist items, it gives you it's kind of like this recursive nice, like guiding force of like, here's the things you could be doing, right? |
1612 | 1612 |
|
1613 | | -00:59:46 And if you want to dig in more size guide for developing more secure software, in other words, NPM best practices, and so on. |
| 1613 | +00:59:46 And if you want to dig in more concise guide for developing more secure software, in other words, NPM best practices, and so on. |
1614 | 1614 |
|
1615 | 1615 | 00:59:54 Yeah, excellent. |
1616 | 1616 |
|
|
1663 | 1663 | 01:01:48 Now get out there and write some Python code. |
1664 | 1664 |
|
1665 | 1665 | 01:01:49 [MUSIC] |
1666 | | - |
0 commit comments