Keynote
Ask a core developer anything
PyCon LT 2021 / Vilnius 2021-09-03
Christian Heimes
Principal Software Engineer
[email protected] / [email protected]
@ChristianHeimes
Slide 2
Slide 2 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
Introduction
●
PSF & Python
●
Pre-submitted questions
●
core dev questions
●
security questions
●
general questions
●
Live questions
Agenda
sli.do #765699
Slide 3
Slide 3 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
You can ask me anything
●
questions should be related to Python somehow
●
answers should be of interest for the audience
●
keep your questions short (20 secs, 3 sentences)
●
keep it fun and educational, but questions about bad
experiences are ok, too.
●
no politics, no religion, no (too) private questions
●
I might skip a question if I don't know the answer well enough.
Rules
Slide 4
Slide 4 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Who am I?
●
he/him
●
from Hamburg/Germany
●
Python core developer, Python security team,
PSF Diversity & Inclusion WG
●
Principal Software Engineer at Red Hat
Identity Management and Platform Security
Slide 5
Slide 5 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
1997 Linux user and admin
●
2000 network, email, and security admin in students dorm
●
2001 Python 2.1, Zope/Plone contributor
●
2003 first Python conference (EuroPython in Charleroi/BE)
●
2007 Python core dev, PSF member
●
2012/13 Python Security Team
●
2013 conference speaker
●
2015 Red Hat
●
2020 Diversity & Inclusion WG
Open source career
Slide 6
Slide 6 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
math and cmath improvements, float('inf')
●
Python 3000
●
str/bytes split, b'' prefix in Python 2
●
forward/backport porting
●
The “ssl & security guy”
●
ssl, hashlib module, OpenSSL integration
●
Security improvements and fixes
●
PEP 370, 452, 456, 644, 543, 594, 8001
pip install --user
Python contribution
Slide 7
Slide 7 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Slide 8
Slide 8 text
PSF & Python
Slide 9
Slide 9 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Python Software
Foundation
Steering
Council
Python
Core Dev
Board of
Directors
D&I WG
CoC WG
PyPA
SIG
Slide 10
Slide 10 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
The mission of the Python Software Foundation is to promote,
protect, and advance the Python programming language, and to
support and facilitate the growth of a diverse and international
community of Python programmers.
The Python Software Foundation (PSF) is a non-profit membership
organization devoted to advancing open source technology related
to the Python programming language.
Python Software Foundation
Slide 11
Slide 11 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
Board of Directors
●
paid position
●
event coordinator, director of infrastructure, treasury, ...
●
Working Groups / Special Interest Groups
●
Infrastructure, Packaging (PyPA)
●
Trademark, Legal, Marketing, Bylaws
●
Diversity & Inclusion
●
Code of Conduct
●
Scientific Python, Education
Python Software Foundation
Slide 12
Slide 12 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
Basic, non-voting members
●
Supporting members
●
annual donation $ 99 USD or more
●
Managing members
●
5h/month community or Python ecosystem support
●
Contributing members
●
5h/month for OSS maintainers
●
Fellow
PSF Membership
https://www.python.org/psf/membership/
Slide 13
Slide 13 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
~90 "active" core developers
●
Government
●
Guido was BDFL until 2018
●
Steering Council with 5 members for each release
(PEP 8000, 8016, 8100+)
●
Release Manager
Python Core Development
Slide 14
Slide 14 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
Python users are from all over the world
●
most core developers are from North America and West Europe
●
majority of core developers are white men
●
PSF board lacks representation from LATAM and SE Asia
Diversity & Inclusion WG
Slide 15
Slide 15 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Slide 16
Slide 16 text
Pre-submitted questions
Slide 17
Slide 17 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
How did you become a
core developer?
Slide 18
Slide 18 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Slide 19
Slide 19 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Who pays for core devs' work?
How much is voluntary (on free time) and how
much is paid by the employer? (probably varies,
but maybe some estimates?)
Slide 20
Slide 20 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
volunteers
Slide 21
Slide 21 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
paid in
exposure
Slide 22
Slide 22 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Slide 23
Slide 23 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Slide 24
Slide 24 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Slide 25
Slide 25 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
PSF sponsors
●
Łukasz Langa, developer in residence (DIR)
●
core sprint sponsoring
●
Employer sponsor
●
work time
●
travel time & expenses
●
Github sponsor, Tidelift
●
mostly volunteer work
Who pays for core development?
Slide 26
Slide 26 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
How much time do different employers give to
core devs to work on open source Python? E.g.
Red Hat, Microsoft, Bloomberg, etc.
Slide 27
Slide 27 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
Red Hat
●
Victor Stinner: 100%
●
Petr Viktorin & Python maintenance team
●
hardware, upstream and packaging contributions
●
me: case-by-case, ~ 15 conference days / year
●
Google, Microsoft, others: 1 day / week (?)
●
Microsoft: several full time jobs for Faster Python effort
●
Bloomberg: Pablo 50% for Faster Python effort
Company time
Slide 28
Slide 28 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
As a core dev,
how much time do you spend in Python
and how much in other languages (e.g. C)?
Slide 29
Slide 29 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
What new exciting project
(maybe imaginary)
would you like to work on?
Slide 30
Slide 30 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Slide 31
Slide 31 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Is there some area/subfield of Python
that you feel you don't know too well
(as the rest of us mortals)?
Slide 32
Slide 32 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
What would you magically change for Python if
you could?
E.g. more core devs, better salaries, more open
source time from employers, more non-core dev
people...
Slide 33
Slide 33 text
Security questions
Slide 34
Slide 34 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Who are the main developers
involved in Python security?
Slide 35
Slide 35 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
Release managers: Benjamin, Larry, Ned, Łukasz, Pablo
●
PyPA / PSF Infra: Ee W. Durbin, Dustin, Pradyun
●
Vendors
●
Google: Gregory P. Smith
●
Microsoft: Steve Dower
●
Red Hat: Victor Stinner, me
●
Alex Gaynor, Barry, Glyph, Guido, Serhiy
●
...
Python Security Response Team
Slide 36
Slide 36 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
What were the biggest Python vulnerabilities
in the past?
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Hash collision attack – fixed by PEP 456
>>> hash('cf') & (8 - 1)
1
>>> hash('bg') & (8 - 1)
1
0 1 2 3 4 5 6 7
de cf bg
df
Slide 40
Slide 40 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Parsing plain text protocols
sock = create_connection(('host', 80))
f = sock.makefile()
for line in f:
name, value = line.split(':', 1)
...
Slide 41
Slide 41 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
ssl module: X.509 certificate hostname matching
●
regular expression denial of service (REDOS)
●
XML entity extension attacks (XML bomb, file inclusion)
●
HTTP header parsing
●
file descriptor inheritance
●
usual C bugs (buffer overflow, use-after-free, ...)
More security vulnerabilities
Slide 42
Slide 42 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
What are the most common
security issues in Python?
Slide 43
Slide 43 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
OWASP Top 20
●
input validation and sanitation issues (SQL injection attacks)
●
code injection with eval(), exec(), or __import__()
●
os.system() and subprocess call with string arguments
●
insecure or missing TLS/SSL
●
misuse of cryptography
●
credential leaks (logging, readable config files, git)
●
missing security updates
●
supply chain attacks
Security issues in Python applications
Slide 44
Slide 44 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Are packages from PyPI safe?
No
(for some definition of "No")
Slide 45
Slide 45 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
free account registration
●
no project name verification typo squatting
→
●
no code review or scanning on upload
●
project can contain malicious code
●
maintainer may accidentally introduce bug
●
maintainer compromised
●
maintainer could go rogue and deliberately add a vulnerability
●
CI/CD pipeline compromised
PyPI security
Slide 46
Slide 46 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
TUF – The Update Framework
●
PEP 480 Surviving a compromise of PyPI
●
PEP 458 Secure PyPI downloads with signed repository metadata
●
Python wheels
●
SSSC-SIG (Secure Software Supply Chains for Python)
●
Shared format for OSS vulnerability data (Google)
●
Code signing sigstore (Google, Red Hat, et al.)
●
Code behavior analysis efforts (e.g. Project Toth by Red Hat)
PyPI security effort
Slide 47
Slide 47 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Any tips how we can protect ourselves against
insecure imports in our Python applications?
Slide 48
Slide 48 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
●
review all dependencies and updates
●
optionally: run your own PyPI mirror with limited packages
●
use requirements.txt with pins and hashes
●
run application as unprivileged user with limited permissions
and capabilities
●
read-only code
●
no root (even in containers)
●
use systemd security features
●
Dustin Ingram's PyCon talk "Secure Software Supply Chains"
Protection against insecure imports
Slide 49
Slide 49 text
General questions
Slide 50
Slide 50 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
What do you love about Python the most?
Slide 51
Slide 51 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Slide 52
Slide 52 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Which books would you say
are must read for Python developer?
Slide 53
Slide 53 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Slide 54
Slide 54 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Which IDE are you using?
Do you use any plugins for making programming
easier / more comfortable?
Slide 55
Slide 55 text
Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
Are you using any website daily for python /
programming knowledge improvement?