PyCon LT 2021 Keynote: Ask a core developer anything

Transcript

1. Keynote
   Ask a core developer anything
   PyCon LT 2021 / Vilnius 2021-09-03
   Christian Heimes
   Principal Software Engineer
   [email protected] / [email protected]
   @ChristianHeimes
   

   View Slide

2. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
   ●
   Introduction
   ●
   PSF & Python
   ●
   Pre-submitted questions
   ●
   core dev questions
   ●
   security questions
   ●
   general questions
   ●
   Live questions
   Agenda
   sli.do #765699
   

   View Slide

3. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
   You can ask me anything
   ●
   questions should be related to Python somehow
   ●
   answers should be of interest for the audience
   ●
   keep your questions short (20 secs, 3 sentences)
   ●
   keep it fun and educational, but questions about bad
   experiences are ok, too.
   ●
   no politics, no religion, no (too) private questions
   ●
   I might skip a question if I don't know the answer well enough.
   Rules
   

   View Slide

4. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
   Who am I?
   ●
   he/him
   ●
   from Hamburg/Germany
   ●
   Python core developer, Python security team,
   PSF Diversity & Inclusion WG
   ●
   Principal Software Engineer at Red Hat
   Identity Management and Platform Security
   

   View Slide

5. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
   ●
   1997 Linux user and admin
   ●
   2000 network, email, and security admin in students dorm
   ●
   2001 Python 2.1, Zope/Plone contributor
   ●
   2003 first Python conference (EuroPython in Charleroi/BE)
   ●
   2007 Python core dev, PSF member
   ●
   2012/13 Python Security Team
   ●
   2013 conference speaker
   ●
   2015 Red Hat
   ●
   2020 Diversity & Inclusion WG
   Open source career
   

   View Slide

6. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
   ●
   math and cmath improvements, float('inf')
   ●
   Python 3000
   ●
   str/bytes split, b'' prefix in Python 2
   ●
   forward/backport porting
   ●
   The “ssl & security guy”
   ●
   ssl, hashlib module, OpenSSL integration
   ●
   Security improvements and fixes
   ●
   PEP 370, 452, 456, 644, 543, 594, 8001
   pip install --user
   Python contribution
   

   View Slide

7. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
   

   View Slide

8. PSF & Python
   

   View Slide

9. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
   Python Software
   Foundation
   Steering
   Council
   Python
   Core Dev
   Board of
   Directors
   D&I WG
   CoC WG
   PyPA
   SIG
   

   View Slide

10. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    The mission of the Python Software Foundation is to promote,
    protect, and advance the Python programming language, and to
    support and facilitate the growth of a diverse and international
    community of Python programmers.
    The Python Software Foundation (PSF) is a non-profit membership
    organization devoted to advancing open source technology related
    to the Python programming language.
    Python Software Foundation
    

    View Slide

11. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    Board of Directors
    ●
    paid position
    ●
    event coordinator, director of infrastructure, treasury, ...
    ●
    Working Groups / Special Interest Groups
    ●
    Infrastructure, Packaging (PyPA)
    ●
    Trademark, Legal, Marketing, Bylaws
    ●
    Diversity & Inclusion
    ●
    Code of Conduct
    ●
    Scientific Python, Education
    Python Software Foundation
    

    View Slide

12. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    Basic, non-voting members
    ●
    Supporting members
    ●
    annual donation $ 99 USD or more
    ●
    Managing members
    ●
    5h/month community or Python ecosystem support
    ●
    Contributing members
    ●
    5h/month for OSS maintainers
    ●
    Fellow
    PSF Membership
    https://www.python.org/psf/membership/
    

    View Slide

13. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    ~90 "active" core developers
    ●
    Government
    ●
    Guido was BDFL until 2018
    ●
    Steering Council with 5 members for each release
    (PEP 8000, 8016, 8100+)
    ●
    Release Manager
    Python Core Development
    

    View Slide

14. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    Python users are from all over the world
    ●
    most core developers are from North America and West Europe
    ●
    majority of core developers are white men
    ●
    PSF board lacks representation from LATAM and SE Asia
    Diversity & Inclusion WG
    

    View Slide

15. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    

    View Slide

16. Pre-submitted questions
    

    View Slide

17. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    How did you become a
    core developer?
    

    View Slide

18. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    

    View Slide

19. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Who pays for core devs' work?
    How much is voluntary (on free time) and how
    much is paid by the employer? (probably varies,
    but maybe some estimates?)
    

    View Slide

20. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    volunteers
    

    View Slide

21. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    paid in
    exposure
    

    View Slide

22. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    

    View Slide

23. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    

    View Slide

24. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    

    View Slide

25. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    PSF sponsors
    ●
    Łukasz Langa, developer in residence (DIR)
    ●
    core sprint sponsoring
    ●
    Employer sponsor
    ●
    work time
    ●
    travel time & expenses
    ●
    Github sponsor, Tidelift
    ●
    mostly volunteer work
    Who pays for core development?
    

    View Slide

26. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    How much time do different employers give to
    core devs to work on open source Python? E.g.
    Red Hat, Microsoft, Bloomberg, etc.
    

    View Slide

27. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    Red Hat
    ●
    Victor Stinner: 100%
    ●
    Petr Viktorin & Python maintenance team
    ●
    hardware, upstream and packaging contributions
    ●
    me: case-by-case, ~ 15 conference days / year
    ●
    Google, Microsoft, others: 1 day / week (?)
    ●
    Microsoft: several full time jobs for Faster Python effort
    ●
    Bloomberg: Pablo 50% for Faster Python effort
    Company time
    

    View Slide

28. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    As a core dev,
    how much time do you spend in Python
    and how much in other languages (e.g. C)?
    

    View Slide

29. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What new exciting project
    (maybe imaginary)
    would you like to work on?
    

    View Slide

30. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    

    View Slide

31. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Is there some area/subfield of Python
    that you feel you don't know too well
    (as the rest of us mortals)?
    

    View Slide

32. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What would you magically change for Python if
    you could?
    E.g. more core devs, better salaries, more open
    source time from employers, more non-core dev
    people...
    

    View Slide

33. Security questions
    

    View Slide

34. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Who are the main developers
    involved in Python security?
    

    View Slide

35. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    Release managers: Benjamin, Larry, Ned, Łukasz, Pablo
    ●
    PyPA / PSF Infra: Ee W. Durbin, Dustin, Pradyun
    ●
    Vendors
    ●
    Google: Gregory P. Smith
    ●
    Microsoft: Steve Dower
    ●
    Red Hat: Victor Stinner, me
    ●
    Alex Gaynor, Barry, Glyph, Guido, Serhiy
    ●
    ...
    Python Security Response Team
    

    View Slide

36. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What were the biggest Python vulnerabilities
    in the past?
    

    View Slide

37. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Hash collision attack on dictionaries
    >>> hash('de')
    12800076900115529
    >>> hash('de') & (8 - 1)
    1
    0 1 2 3 4 5 6 7
    0 1 2 3 4 5 6 7
    de
    

    View Slide

38. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Hash collision attack
    >>> hash('df')
    6672104196504639850
    >>> hash('df') & (8 - 1)
    2
    0 1 2 3 4 5 6 7
    de df
    

    View Slide

39. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Hash collision attack – fixed by PEP 456
    >>> hash('cf') & (8 - 1)
    1
    >>> hash('bg') & (8 - 1)
    1
    0 1 2 3 4 5 6 7
    de cf bg
    df
    

    View Slide

40. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Parsing plain text protocols
    sock = create_connection(('host', 80))
    f = sock.makefile()
    for line in f:
    name, value = line.split(':', 1)
    ...
    

    View Slide

41. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    ssl module: X.509 certificate hostname matching
    ●
    regular expression denial of service (REDOS)
    ●
    XML entity extension attacks (XML bomb, file inclusion)
    ●
    HTTP header parsing
    ●
    file descriptor inheritance
    ●
    usual C bugs (buffer overflow, use-after-free, ...)
    More security vulnerabilities
    

    View Slide

42. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What are the most common
    security issues in Python?
    

    View Slide

43. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    OWASP Top 20
    ●
    input validation and sanitation issues (SQL injection attacks)
    ●
    code injection with eval(), exec(), or __import__()
    ●
    os.system() and subprocess call with string arguments
    ●
    insecure or missing TLS/SSL
    ●
    misuse of cryptography
    ●
    credential leaks (logging, readable config files, git)
    ●
    missing security updates
    ●
    supply chain attacks
    Security issues in Python applications
    

    View Slide

44. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Are packages from PyPI safe?
    No
    (for some definition of "No")
    

    View Slide

45. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    free account registration
    ●
    no project name verification typo squatting
    →
    ●
    no code review or scanning on upload
    ●
    project can contain malicious code
    ●
    maintainer may accidentally introduce bug
    ●
    maintainer compromised
    ●
    maintainer could go rogue and deliberately add a vulnerability
    ●
    CI/CD pipeline compromised
    PyPI security
    

    View Slide

46. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    TUF – The Update Framework
    ●
    PEP 480 Surviving a compromise of PyPI
    ●
    PEP 458 Secure PyPI downloads with signed repository metadata
    ●
    Python wheels
    ●
    SSSC-SIG (Secure Software Supply Chains for Python)
    ●
    Shared format for OSS vulnerability data (Google)
    ●
    Code signing sigstore (Google, Red Hat, et al.)
    ●
    Code behavior analysis efforts (e.g. Project Toth by Red Hat)
    PyPI security effort
    

    View Slide

47. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Any tips how we can protect ourselves against
    insecure imports in our Python applications?
    

    View Slide

48. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    ●
    review all dependencies and updates
    ●
    optionally: run your own PyPI mirror with limited packages
    ●
    use requirements.txt with pins and hashes
    ●
    run application as unprivileged user with limited permissions
    and capabilities
    ●
    read-only code
    ●
    no root (even in containers)
    ●
    use systemd security features
    ●
    Dustin Ingram's PyCon talk "Secure Software Supply Chains"
    Protection against insecure imports
    

    View Slide

49. General questions
    

    View Slide

50. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    What do you love about Python the most?
    

    View Slide

51. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    

    View Slide

52. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Which books would you say
    are must read for Python developer?
    

    View Slide

53. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    

    View Slide

54. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Which IDE are you using?
    Do you use any plugins for making programming
    easier / more comfortable?
    

    View Slide

55. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
    Are you using any website daily for python /
    programming knowledge improvement?
    

    View Slide

56. Questions?
    @ChristianHeimes
    [email protected]
    [email protected]
    https://speakerdeck.com/tiran/
    

    View Slide

57. THANK YOU
    plus.google.com/+RedHat
    youtube.com/user/RedHatVideos
    facebook.com/redhatinc
    twitter.com/RedHatNews
    linkedin.com/company/red-hat
    

    View Slide