Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Avoiding the "left-pad" problem: How to secure your pip install process

Aaron Bassett
September 17, 2016
Programming
0
310

Avoiding the "left-pad" problem: How to secure your pip install process

Video: https://www.youtube.com/watch?v=qt7TboNJGJg

When Azer Koçulu pulled 11 lines of code from npm he not only broke thousands of dependent packages but also prevented developers all over the world from deploying their code. This talk will show how you can harden your pip install process, ensure that packages have not been tampered with, protect against MITM attacks and even how to keep deploying if a package is deleted or if PyPI goes offline.

Aaron Bassett

September 17, 2016
Tweet

More Decks by Aaron Bassett

See All by Aaron Bassett
When your wetware has too many threads - Tips from an ADHDer on how to improve your focus
aaronbassett
1
40
Stupid (and possibly illegal) stuff you can do with SMS, but probably shouldn't
aaronbassett
0
180
Hello to the World in 8 Web Frameworks (Micro, Batteries Included & Async)
aaronbassett
0
42
When The __future__ Becomes The Present; Dropping Python 2 Support In A Commercial Client
aaronbassett
1
51
Real-time transcription and sentiment analysis of audio streams; on the phone and in the browser
aaronbassett
0
58
Django and the testing pyramid - DjangoCon Europe 2017
aaronbassett
0
650
Sun, Sea & Pi - A Raspberry Pi day talk
aaronbassett
0
110
Having fun with testing
aaronbassett
0
51
Effortless real time apps in Django
aaronbassett
1
890

Other Decks in Programming

See All in Programming
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
250
Netty Chicago Java User Group 2024-04-17
sullis
0
110
ログラスを支える設計標準について / loglass-design-standards
urmot
10
2.1k
Doctrine ORMでValue Objectを扱う方法4選 #phpstudy / 4 ways to handle Value Objects with Doctrine ORM
77web
4
110
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
39
18k
try! Swift Tokyo 初参加報告LT
hinakko2
0
190
Micro Frontends for Java Microservices - Devnexus 2024
mraible
PRO
0
420
From Spring Boot 2 to Spring Boot 3 with Java 22 and Jakarta EE
ivargrimstad
0
880
ONE WEDGE_company_guide
1wedge_one
0
370
Ruby Pattern Matching
bkuhlmann
0
920
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
280

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
120
16k
Producing Creativity
orderedlist
PRO
336
39k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
13
1.5k
Building Effective Engineering Teams - LeadDev
addyosmani
27
1.8k
KATA
mclloyd
14
12k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
The Art of Programming - Codeland 2020
erikaheidi
41
12k
How to name files
jennybc
64
92k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
4 Signs Your Business is Dying
shpigford
175
21k
Embracing the Ebb and Flow
colly
79
4.1k
Adopting Sorbet at Scale
ufuk
67
8.6k

Transcript

  1. AVOIDING THE "LEFT-PAD" PROBLEM: HOW TO SECURE YOUR PIP INSTALL

    PROCESS @aaronbassett getadministrate.com

  2. @AARONBASSETT

  3. getadministrate.com

  4. What are packages?

  5. None

  6. “Most software today is very much like an Egyptian pyramid

    with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves.” Alan Kay
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None

  19. PRODUCTION

  20. QUALITY ASSURANCE

  21. LOCAL DEVELOPMENT

  22. None

  23. • 40,000 pages of specifications • 420,000 lines of code

    • 17 errors in last 11 versions

  24. THE ONLY BUG FREE CODE IS NO CODE

  25. None
  26. None
  27. None

  28. ORPHAN PACKAGES

  29. PIP TOOLS TO THE RESUCE

  30. None
  31. None
  32. None
  33. None
  34. None

  35. pip-sync

  36. "LEFT-PAD" PROBLEM

  37. KEEP IT LOCAL

  38. None
  39. None
  40. None
  41. None
  42. None
  43. None
  44. None
  45. None

  46. PIP HASH

  47. None
  48. None

  49. hashin 0.6.0

  50. • Inspect code before installing • Be your own Pypi

    • Use pip-compile and pip-sync • Hash all the things

  51. THANK YOU @aaronbassett getadministrate.com