Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Avoiding the "left-pad" problem: How to secure ...

Aaron Bassett
September 17, 2016
Programming
0
340

Avoiding the "left-pad" problem: How to secure your pip install process

Video: https://www.youtube.com/watch?v=qt7TboNJGJg

When Azer Koçulu pulled 11 lines of code from npm he not only broke thousands of dependent packages but also prevented developers all over the world from deploying their code. This talk will show how you can harden your pip install process, ensure that packages have not been tampered with, protect against MITM attacks and even how to keep deploying if a package is deleted or if PyPI goes offline.

Aaron Bassett

September 17, 2016
Tweet

More Decks by Aaron Bassett

See All by Aaron Bassett
When your wetware has too many threads - Tips from an ADHDer on how to improve your focus
aaronbassett
1
48
Stupid (and possibly illegal) stuff you can do with SMS, but probably shouldn't
aaronbassett
0
240
Hello to the World in 8 Web Frameworks (Micro, Batteries Included & Async)
aaronbassett
0
50
When The __future__ Becomes The Present; Dropping Python 2 Support In A Commercial Client
aaronbassett
1
59
Real-time transcription and sentiment analysis of audio streams; on the phone and in the browser
aaronbassett
0
70
Django and the testing pyramid - DjangoCon Europe 2017
aaronbassett
0
750
Sun, Sea & Pi - A Raspberry Pi day talk
aaronbassett
0
110
Having fun with testing
aaronbassett
0
52
Effortless real time apps in Django
aaronbassett
1
990

Other Decks in Programming

See All in Programming
Macとオーディオ再生 2024/11/02
yusukeito
0
190
qmuntal/stateless のススメ
sgash708
0
120
Amazon Neptuneで始めてみるグラフDB -OpenSearchによるグラフの全文検索-
satoshi256kbyte
4
330
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
0
150
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
140
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
1
290
VR HMDとしてのVision Pro+ゲーム開発について
yasei_no_otoko
0
100
『ドメイン駆動設計をはじめよう』のモデリングアプローチ
masuda220
PRO
8
440
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
7
2.8k
Progressive Web Apps für Desktop und Mobile mit Angular (Hands-on)
christianliebel
PRO
0
110
PLoP 2024: The evolution of the microservice architecture pattern language
cer
PRO
0
1.6k
Realtime API 入門
riofujimon
0
110

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
790
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.8k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
92
16k
Visualization
eitanlees
144
15k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
Building Applications with DynamoDB
mza
90
6.1k
How to Ace a Technical Interview
jacobian
275
23k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Typedesign – Prime Four
hannesfritz
39
2.4k
4 Signs Your Business is Dying
shpigford
180
21k
Designing Experiences People Love
moore
138
23k

Transcript

  1. AVOIDING THE "LEFT-PAD" PROBLEM: HOW TO SECURE YOUR PIP INSTALL

    PROCESS @aaronbassett getadministrate.com

  2. @AARONBASSETT

  3. getadministrate.com

  4. What are packages?

  5. None

  6. “Most software today is very much like an Egyptian pyramid

    with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves.” Alan Kay
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None

  19. PRODUCTION

  20. QUALITY ASSURANCE

  21. LOCAL DEVELOPMENT

  22. None

  23. • 40,000 pages of specifications • 420,000 lines of code

    • 17 errors in last 11 versions

  24. THE ONLY BUG FREE CODE IS NO CODE

  25. None
  26. None
  27. None

  28. ORPHAN PACKAGES

  29. PIP TOOLS TO THE RESUCE

  30. None
  31. None
  32. None
  33. None
  34. None

  35. pip-sync

  36. "LEFT-PAD" PROBLEM

  37. KEEP IT LOCAL

  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None

  46. PIP HASH

  47. None
  48. None

  49. hashin 0.6.0

  50. • Inspect code before installing • Be your own Pypi

    • Use pip-compile and pip-sync • Hash all the things

  51. THANK YOU @aaronbassett getadministrate.com