Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PyCon LT 2021 Keynote: Ask a core developer anything

PyCon LT 2021 Keynote: Ask a core developer anything

https://pretalx.com/pyconlt2020/talk/QUZLAS/

What did you always wanted to know about Python core development,
security, global Python community, or open source development in
generak? You get a chance to have your questions answered by a long-time
Python core developer and professional open source developer. I will
answer your questions live on stage at PyCon Lithuania.

To give you some ideas for topics:

* Python core development
* Python security and PSRT
* Python history, 2 to 3 migration
* PSF, community and Diversity & Inclusion
* public speaking, conferences and travel adventures

Christian Heimes

September 03, 2021
Tweet

More Decks by Christian Heimes

Other Decks in Programming

Transcript

  1. Keynote Ask a core developer anything PyCon LT 2021 /

    Vilnius 2021-09-03 Christian Heimes Principal Software Engineer [email protected] / [email protected] @ChristianHeimes
  2. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • Introduction • PSF & Python • Pre-submitted questions • core dev questions • security questions • general questions • Live questions Agenda sli.do #765699
  3. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    You can ask me anything • questions should be related to Python somehow • answers should be of interest for the audience • keep your questions short (20 secs, 3 sentences) • keep it fun and educational, but questions about bad experiences are ok, too. • no politics, no religion, no (too) private questions • I might skip a question if I don't know the answer well enough. Rules
  4. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Who am I? • he/him • from Hamburg/Germany • Python core developer, Python security team, PSF Diversity & Inclusion WG • Principal Software Engineer at Red Hat Identity Management and Platform Security
  5. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • 1997 Linux user and admin • 2000 network, email, and security admin in students dorm • 2001 Python 2.1, Zope/Plone contributor • 2003 first Python conference (EuroPython in Charleroi/BE) • 2007 Python core dev, PSF member • 2012/13 Python Security Team • 2013 conference speaker • 2015 Red Hat • 2020 Diversity & Inclusion WG Open source career
  6. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • math and cmath improvements, float('inf') • Python 3000 • str/bytes split, b'' prefix in Python 2 • forward/backport porting • The “ssl & security guy” • ssl, hashlib module, OpenSSL integration • Security improvements and fixes • PEP 370, 452, 456, 644, 543, 594, 8001 pip install --user Python contribution
  7. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Python Software Foundation Steering Council Python Core Dev Board of Directors D&I WG CoC WG PyPA SIG
  8. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers. The Python Software Foundation (PSF) is a non-profit membership organization devoted to advancing open source technology related to the Python programming language. Python Software Foundation
  9. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • Board of Directors • paid position • event coordinator, director of infrastructure, treasury, ... • Working Groups / Special Interest Groups • Infrastructure, Packaging (PyPA) • Trademark, Legal, Marketing, Bylaws • Diversity & Inclusion • Code of Conduct • Scientific Python, Education Python Software Foundation
  10. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • Basic, non-voting members • Supporting members • annual donation $ 99 USD or more • Managing members • 5h/month community or Python ecosystem support • Contributing members • 5h/month for OSS maintainers • Fellow PSF Membership https://www.python.org/psf/membership/
  11. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • ~90 "active" core developers • Government • Guido was BDFL until 2018 • Steering Council with 5 members for each release (PEP 8000, 8016, 8100+) • Release Manager Python Core Development
  12. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • Python users are from all over the world • most core developers are from North America and West Europe • majority of core developers are white men • PSF board lacks representation from LATAM and SE Asia Diversity & Inclusion WG
  13. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Who pays for core devs' work? How much is voluntary (on free time) and how much is paid by the employer? (probably varies, but maybe some estimates?)
  14. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • PSF sponsors • Łukasz Langa, developer in residence (DIR) • core sprint sponsoring • Employer sponsor • work time • travel time & expenses • Github sponsor, Tidelift • mostly volunteer work Who pays for core development?
  15. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    How much time do different employers give to core devs to work on open source Python? E.g. Red Hat, Microsoft, Bloomberg, etc.
  16. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • Red Hat • Victor Stinner: 100% • Petr Viktorin & Python maintenance team • hardware, upstream and packaging contributions • me: case-by-case, ~ 15 conference days / year • Google, Microsoft, others: 1 day / week (?) • Microsoft: several full time jobs for Faster Python effort • Bloomberg: Pablo 50% for Faster Python effort Company time
  17. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    As a core dev, how much time do you spend in Python and how much in other languages (e.g. C)?
  18. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    What new exciting project (maybe imaginary) would you like to work on?
  19. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Is there some area/subfield of Python that you feel you don't know too well (as the rest of us mortals)?
  20. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    What would you magically change for Python if you could? E.g. more core devs, better salaries, more open source time from employers, more non-core dev people...
  21. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Who are the main developers involved in Python security?
  22. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • Release managers: Benjamin, Larry, Ned, Łukasz, Pablo • PyPA / PSF Infra: Ee W. Durbin, Dustin, Pradyun • Vendors • Google: Gregory P. Smith • Microsoft: Steve Dower • Red Hat: Victor Stinner, me • Alex Gaynor, Barry, Glyph, Guido, Serhiy • ... Python Security Response Team
  23. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    What were the biggest Python vulnerabilities in the past?
  24. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Hash collision attack on dictionaries >>> hash('de') 12800076900115529 >>> hash('de') & (8 - 1) 1 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 de
  25. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Hash collision attack >>> hash('df') 6672104196504639850 >>> hash('df') & (8 - 1) 2 0 1 2 3 4 5 6 7 de df
  26. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Hash collision attack – fixed by PEP 456 >>> hash('cf') & (8 - 1) 1 >>> hash('bg') & (8 - 1) 1 0 1 2 3 4 5 6 7 de cf bg df
  27. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Parsing plain text protocols sock = create_connection(('host', 80)) f = sock.makefile() for line in f: name, value = line.split(':', 1) ...
  28. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • ssl module: X.509 certificate hostname matching • regular expression denial of service (REDOS) • XML entity extension attacks (XML bomb, file inclusion) • HTTP header parsing • file descriptor inheritance • usual C bugs (buffer overflow, use-after-free, ...) More security vulnerabilities
  29. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    What are the most common security issues in Python?
  30. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • OWASP Top 20 • input validation and sanitation issues (SQL injection attacks) • code injection with eval(), exec(), or __import__() • os.system() and subprocess call with string arguments • insecure or missing TLS/SSL • misuse of cryptography • credential leaks (logging, readable config files, git) • missing security updates • supply chain attacks Security issues in Python applications
  31. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Are packages from PyPI safe? No (for some definition of "No")
  32. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • free account registration • no project name verification typo squatting → • no code review or scanning on upload • project can contain malicious code • maintainer may accidentally introduce bug • maintainer compromised • maintainer could go rogue and deliberately add a vulnerability • CI/CD pipeline compromised PyPI security
  33. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • TUF – The Update Framework • PEP 480 Surviving a compromise of PyPI • PEP 458 Secure PyPI downloads with signed repository metadata • Python wheels • SSSC-SIG (Secure Software Supply Chains for Python) • Shared format for OSS vulnerability data (Google) • Code signing sigstore (Google, Red Hat, et al.) • Code behavior analysis efforts (e.g. Project Toth by Red Hat) PyPI security effort
  34. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Any tips how we can protect ourselves against insecure imports in our Python applications?
  35. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    • review all dependencies and updates • optionally: run your own PyPI mirror with limited packages • use requirements.txt with pins and hashes • run application as unprivileged user with limited permissions and capabilities • read-only code • no root (even in containers) • use systemd security features • Dustin Ingram's PyCon talk "Secure Software Supply Chains" Protection against insecure imports
  36. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    What do you love about Python the most?
  37. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Which books would you say are must read for Python developer?
  38. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Which IDE are you using? Do you use any plugins for making programming easier / more comfortable?
  39. Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0

    Are you using any website daily for python / programming knowledge improvement?