Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PyCon LT 2021 Keynote: Ask a core developer anything

PyCon LT 2021 Keynote: Ask a core developer anything

https://pretalx.com/pyconlt2020/talk/QUZLAS/

What did you always wanted to know about Python core development,
security, global Python community, or open source development in
generak? You get a chance to have your questions answered by a long-time
Python core developer and professional open source developer. I will
answer your questions live on stage at PyCon Lithuania.

To give you some ideas for topics:

* Python core development
* Python security and PSRT
* Python history, 2 to 3 migration
* PSF, community and Diversity & Inclusion
* public speaking, conferences and travel adventures

Christian Heimes

September 03, 2021
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. Keynote
    Ask a core developer anything
    PyCon LT 2021 / Vilnius 2021-09-03
    Christian Heimes
    Principal Software Engineer
    [email protected] / [email protected]
    @ChristianHeimes

    View Slide

  2. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Introduction

    PSF & Python

    Pre-submitted questions

    core dev questions

    security questions

    general questions

    Live questions
    Agenda
    sli.do #765699

    View Slide

  3. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    You can ask me anything

    questions should be related to Python somehow

    answers should be of interest for the audience

    keep your questions short (20 secs, 3 sentences)

    keep it fun and educational, but questions about bad
    experiences are ok, too.

    no politics, no religion, no (too) private questions

    I might skip a question if I don't know the answer well enough.
    Rules

    View Slide

  4. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Who am I?

    he/him

    from Hamburg/Germany

    Python core developer, Python security team,
    PSF Diversity & Inclusion WG

    Principal Software Engineer at Red Hat
    Identity Management and Platform Security

    View Slide

  5. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    1997 Linux user and admin

    2000 network, email, and security admin in students dorm

    2001 Python 2.1, Zope/Plone contributor

    2003 first Python conference (EuroPython in Charleroi/BE)

    2007 Python core dev, PSF member

    2012/13 Python Security Team

    2013 conference speaker

    2015 Red Hat

    2020 Diversity & Inclusion WG
    Open source career

    View Slide

  6. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    math and cmath improvements, float('inf')

    Python 3000

    str/bytes split, b'' prefix in Python 2

    forward/backport porting

    The “ssl & security guy”

    ssl, hashlib module, OpenSSL integration

    Security improvements and fixes

    PEP 370, 452, 456, 644, 543, 594, 8001
    pip install --user
    Python contribution

    View Slide

  7. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  8. PSF & Python

    View Slide

  9. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Python Software
    Foundation
    Steering
    Council
    Python
    Core Dev
    Board of
    Directors
    D&I WG
    CoC WG
    PyPA
    SIG

    View Slide

  10. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    The mission of the Python Software Foundation is to promote,
    protect, and advance the Python programming language, and to
    support and facilitate the growth of a diverse and international
    community of Python programmers.
    The Python Software Foundation (PSF) is a non-profit membership
    organization devoted to advancing open source technology related
    to the Python programming language.
    Python Software Foundation

    View Slide

  11. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Board of Directors

    paid position

    event coordinator, director of infrastructure, treasury, ...

    Working Groups / Special Interest Groups

    Infrastructure, Packaging (PyPA)

    Trademark, Legal, Marketing, Bylaws

    Diversity & Inclusion

    Code of Conduct

    Scientific Python, Education
    Python Software Foundation

    View Slide

  12. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Basic, non-voting members

    Supporting members

    annual donation $ 99 USD or more

    Managing members

    5h/month community or Python ecosystem support

    Contributing members

    5h/month for OSS maintainers

    Fellow
    PSF Membership
    https://www.python.org/psf/membership/

    View Slide

  13. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    ~90 "active" core developers

    Government

    Guido was BDFL until 2018

    Steering Council with 5 members for each release
    (PEP 8000, 8016, 8100+)

    Release Manager
    Python Core Development

    View Slide

  14. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Python users are from all over the world

    most core developers are from North America and West Europe

    majority of core developers are white men

    PSF board lacks representation from LATAM and SE Asia
    Diversity & Inclusion WG

    View Slide

  15. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  16. Pre-submitted questions

    View Slide

  17. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    How did you become a
    core developer?

    View Slide

  18. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  19. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Who pays for core devs' work?
    How much is voluntary (on free time) and how
    much is paid by the employer? (probably varies,
    but maybe some estimates?)

    View Slide

  20. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    volunteers

    View Slide

  21. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    paid in
    exposure

    View Slide

  22. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  23. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  24. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  25. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    PSF sponsors

    Łukasz Langa, developer in residence (DIR)

    core sprint sponsoring

    Employer sponsor

    work time

    travel time & expenses

    Github sponsor, Tidelift

    mostly volunteer work
    Who pays for core development?

    View Slide

  26. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    How much time do different employers give to
    core devs to work on open source Python? E.g.
    Red Hat, Microsoft, Bloomberg, etc.

    View Slide

  27. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Red Hat

    Victor Stinner: 100%

    Petr Viktorin & Python maintenance team

    hardware, upstream and packaging contributions

    me: case-by-case, ~ 15 conference days / year

    Google, Microsoft, others: 1 day / week (?)

    Microsoft: several full time jobs for Faster Python effort

    Bloomberg: Pablo 50% for Faster Python effort
    Company time

    View Slide

  28. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    As a core dev,
    how much time do you spend in Python
    and how much in other languages (e.g. C)?

    View Slide

  29. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What new exciting project
    (maybe imaginary)
    would you like to work on?

    View Slide

  30. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  31. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Is there some area/subfield of Python
    that you feel you don't know too well
    (as the rest of us mortals)?

    View Slide

  32. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What would you magically change for Python if
    you could?
    E.g. more core devs, better salaries, more open
    source time from employers, more non-core dev
    people...

    View Slide

  33. Security questions

    View Slide

  34. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Who are the main developers
    involved in Python security?

    View Slide

  35. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Release managers: Benjamin, Larry, Ned, Łukasz, Pablo

    PyPA / PSF Infra: Ee W. Durbin, Dustin, Pradyun

    Vendors

    Google: Gregory P. Smith

    Microsoft: Steve Dower

    Red Hat: Victor Stinner, me

    Alex Gaynor, Barry, Glyph, Guido, Serhiy

    ...
    Python Security Response Team

    View Slide

  36. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What were the biggest Python vulnerabilities
    in the past?

    View Slide

  37. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Hash collision attack on dictionaries
    >>> hash('de')
    12800076900115529
    >>> hash('de') & (8 - 1)
    1
    0 1 2 3 4 5 6 7
    0 1 2 3 4 5 6 7
    de

    View Slide

  38. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Hash collision attack
    >>> hash('df')
    6672104196504639850
    >>> hash('df') & (8 - 1)
    2
    0 1 2 3 4 5 6 7
    de df

    View Slide

  39. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Hash collision attack – fixed by PEP 456
    >>> hash('cf') & (8 - 1)
    1
    >>> hash('bg') & (8 - 1)
    1
    0 1 2 3 4 5 6 7
    de cf bg
    df

    View Slide

  40. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Parsing plain text protocols
    sock = create_connection(('host', 80))
    f = sock.makefile()
    for line in f:
    name, value = line.split(':', 1)
    ...

    View Slide

  41. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    ssl module: X.509 certificate hostname matching

    regular expression denial of service (REDOS)

    XML entity extension attacks (XML bomb, file inclusion)

    HTTP header parsing

    file descriptor inheritance

    usual C bugs (buffer overflow, use-after-free, ...)
    More security vulnerabilities

    View Slide

  42. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What are the most common
    security issues in Python?

    View Slide

  43. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    OWASP Top 20

    input validation and sanitation issues (SQL injection attacks)

    code injection with eval(), exec(), or __import__()

    os.system() and subprocess call with string arguments

    insecure or missing TLS/SSL

    misuse of cryptography

    credential leaks (logging, readable config files, git)

    missing security updates

    supply chain attacks
    Security issues in Python applications

    View Slide

  44. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Are packages from PyPI safe?
    No
    (for some definition of "No")

    View Slide

  45. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    free account registration

    no project name verification typo squatting


    no code review or scanning on upload

    project can contain malicious code

    maintainer may accidentally introduce bug

    maintainer compromised

    maintainer could go rogue and deliberately add a vulnerability

    CI/CD pipeline compromised
    PyPI security

    View Slide

  46. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    TUF – The Update Framework

    PEP 480 Surviving a compromise of PyPI

    PEP 458 Secure PyPI downloads with signed repository metadata

    Python wheels

    SSSC-SIG (Secure Software Supply Chains for Python)

    Shared format for OSS vulnerability data (Google)

    Code signing sigstore (Google, Red Hat, et al.)

    Code behavior analysis efforts (e.g. Project Toth by Red Hat)
    PyPI security effort

    View Slide

  47. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Any tips how we can protect ourselves against
    insecure imports in our Python applications?

    View Slide

  48. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    review all dependencies and updates

    optionally: run your own PyPI mirror with limited packages

    use requirements.txt with pins and hashes

    run application as unprivileged user with limited permissions
    and capabilities

    read-only code

    no root (even in containers)

    use systemd security features

    Dustin Ingram's PyCon talk "Secure Software Supply Chains"
    Protection against insecure imports

    View Slide

  49. General questions

    View Slide

  50. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What do you love about Python the most?

    View Slide

  51. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  52. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Which books would you say
    are must read for Python developer?

    View Slide

  53. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    View Slide

  54. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Which IDE are you using?
    Do you use any plugins for making programming
    easier / more comfortable?

    View Slide

  55. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Are you using any website daily for python /
    programming knowledge improvement?

    View Slide

  56. Questions?
    @ChristianHeimes
    [email protected]
    [email protected]
    https://speakerdeck.com/tiran/

    View Slide

  57. THANK YOU
    plus.google.com/+RedHat
    youtube.com/user/RedHatVideos
    facebook.com/redhatinc
    twitter.com/RedHatNews
    linkedin.com/company/red-hat

    View Slide