Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Avoiding the "left-pad" problem: How to secure ...

Aaron Bassett
September 17, 2016
Programming
0
350

Avoiding the "left-pad" problem: How to secure your pip install process

Video: https://www.youtube.com/watch?v=qt7TboNJGJg

When Azer Koçulu pulled 11 lines of code from npm he not only broke thousands of dependent packages but also prevented developers all over the world from deploying their code. This talk will show how you can harden your pip install process, ensure that packages have not been tampered with, protect against MITM attacks and even how to keep deploying if a package is deleted or if PyPI goes offline.

Aaron Bassett

September 17, 2016
Tweet

More Decks by Aaron Bassett

See All by Aaron Bassett
When your wetware has too many threads - Tips from an ADHDer on how to improve your focus
aaronbassett
1
50
Stupid (and possibly illegal) stuff you can do with SMS, but probably shouldn't
aaronbassett
0
250
Hello to the World in 8 Web Frameworks (Micro, Batteries Included & Async)
aaronbassett
0
50
When The __future__ Becomes The Present; Dropping Python 2 Support In A Commercial Client
aaronbassett
1
59
Real-time transcription and sentiment analysis of audio streams; on the phone and in the browser
aaronbassett
0
71
Django and the testing pyramid - DjangoCon Europe 2017
aaronbassett
0
750
Sun, Sea & Pi - A Raspberry Pi day talk
aaronbassett
0
110
Having fun with testing
aaronbassett
0
53
Effortless real time apps in Django
aaronbassett
1
1k

Other Decks in Programming

See All in Programming
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
200
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.3k
Jakarta EE meets AI
ivargrimstad
0
140
ペアーズにおけるAmazon Bedrockを⽤いた障害対応⽀援 ⽣成AIツールの導⼊事例 @ 20241115配信AWSウェビナー登壇
fukubaka0825
6
1.9k
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
170
最新TCAキャッチアップ
0si43
0
140
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
120
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
CSC509 Lecture 09
javiergs
PRO
0
140
どうして僕の作ったクラスが手続き型と言われなきゃいけないんですか
akikogoto
1
120
CSC509 Lecture 11
javiergs
PRO
0
180
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
330

Featured

See All Featured
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
410
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
YesSQL, Process and Tooling at Scale
rocio
169
14k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
89
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Ruby is Unlike a Banana
tanoku
97
11k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
Thoughts on Productivity
jonyablonski
67
4.3k
Navigating Team Friction
lara
183
14k
Code Review Best Practice
trishagee
64
17k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k

Transcript

  1. AVOIDING THE "LEFT-PAD" PROBLEM: HOW TO SECURE YOUR PIP INSTALL

    PROCESS @aaronbassett getadministrate.com

  2. @AARONBASSETT

  3. getadministrate.com

  4. What are packages?

  5. None

  6. “Most software today is very much like an Egyptian pyramid

    with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves.” Alan Kay
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None

  19. PRODUCTION

  20. QUALITY ASSURANCE

  21. LOCAL DEVELOPMENT

  22. None

  23. • 40,000 pages of specifications • 420,000 lines of code

    • 17 errors in last 11 versions

  24. THE ONLY BUG FREE CODE IS NO CODE

  25. None
  26. None
  27. None

  28. ORPHAN PACKAGES

  29. PIP TOOLS TO THE RESUCE

  30. None
  31. None
  32. None
  33. None
  34. None

  35. pip-sync

  36. "LEFT-PAD" PROBLEM

  37. KEEP IT LOCAL

  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None

  46. PIP HASH

  47. None
  48. None

  49. hashin 0.6.0

  50. • Inspect code before installing • Be your own Pypi

    • Use pip-compile and pip-sync • Hash all the things

  51. THANK YOU @aaronbassett getadministrate.com