Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Avoiding the "left-pad" problem: How to secure ...

Aaron Bassett
September 17, 2016

Avoiding the "left-pad" problem: How to secure your pip install process

Video: https://www.youtube.com/watch?v=qt7TboNJGJg

When Azer Koçulu pulled 11 lines of code from npm he not only broke thousands of dependent packages but also prevented developers all over the world from deploying their code. This talk will show how you can harden your pip install process, ensure that packages have not been tampered with, protect against MITM attacks and even how to keep deploying if a package is deleted or if PyPI goes offline.

Aaron Bassett

September 17, 2016
Tweet

More Decks by Aaron Bassett

Other Decks in Programming

Transcript

  1. AVOIDING THE "LEFT-PAD" PROBLEM: HOW TO SECURE YOUR PIP INSTALL

    PROCESS @aaronbassett getadministrate.com
  2. “Most software today is very much like an Egyptian pyramid

    with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves.” Alan Kay
  3. • Inspect code before installing • Be your own Pypi

    • Use pip-compile and pip-sync • Hash all the things