Now on at #PyconUS2022 is ⁦@di_codes⁩ talking about Securing the Open Source Supply Chain.
ABC’s of software supply chain
Artifact: ie a file on PyPi
Attestation: evidence or proof that something happened
Advisory: public disclosure, CVEs
Build: build process produces artifacts
Certificate: easier now, with LetsEncrypt
Digest: hash digest, not reversible
Ephemeral: used once and thrown away (in context of cryptographic keys and signing)
F: Fuzzing (vary inputs)
G: Google
Hardware keys: best path for 2FA
Identity: unique and verifiable
Joe Biden: Executive Order
Key: verify signature by keyholder
Lockfile: pipfile.lock
Money: software costs money to make, especially free and open source. Elevating security chain won’t come for free. Orgs need to commit money
Non-forgeable: content of attestation can’t be modified
Open ID Connect: verify and exchange identities
Provenance: history of an artifact
Policy: describe expectations
Remediation: fix what’s wrong, ideally easy or automatic
Signature: proof keyholder was in possession of key
Transparency Log: public immutable record of signs of attestation
Vulnerability: bug in software with security consequences
Use pip-audit for a run down of vulnerabilities in your project.

Run it on your laptop now to see if you have any installed vulnerabilities.

pypi.org/project/pip-au…
SIGstore: new way to think about signatures, identity and trust. Built on top of oauth.

Keys are ephemeral.

Every signature is stored in a transparency log.

New sigstore tool on PyPi is working towards a 1.0 release.

sigstore.dev/undefined/

pypi.org/project/sigsto…
Tools that can help:
SLSA (salsa!) security framework
in toto: ensures integrity of an artifact

slsa.dev
in-toto.io
Announcement:
- Coming soon to PyPI: voluntary 2FA for collaborators!!
- 2FA mandate for critical projects (Top 1% of projects)
- Giving away 4K Google Titan keys to maintainers of critical projects (soon!)
- Credentials publication via OIDC
- PEP480
Open SSF - new multi organization non profit part of Linux Foundation working on supply chain security. Members include Google (and Microsoft!)

openssf.org

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nina Zakharenko 💜🐍

Nina Zakharenko 💜🐍 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @nnja

Apr 30
Closing out the day at #PyConUS2022 is @anthonypjshaw talking about improving the performance of your Python code.
The code demonstrating the gains mentioned in the talk is hosted at: GitHub.com/tonybaloney/an…
List comprehensions. Not just just more readable but also faster!
Read 9 tweets
Apr 29
On now at #PyCon #PyConUS2022: Brandt Bucher on Python’s Structural Pattern Matching. He works at Microsoft working on improving Python performance with @gvanrossum. Image
Check out the tutorial: peps.python.org/pep-0636.html
Working in a standalone repo was helpful over the course of the project, and preserved a history of decision making. github.com/gvanrossum/pat…
Read 4 tweets
Sep 24, 2019
Next up at #DjangoCon is a keynote I'm very excited about.

Here's @jesslynnrose from Mozilla talking about burnout.
Why are we talking about burnout? (Especially after talking about contributing to open source?)

Because if you're burned out you can't do your best work.
Your brain is a wet bag of meat soaked in chemicals (😂)

Your working memory and cognitive load changes day by day.

Your processes - your multi threaded thinking - takes up a lot of your cognitive load already.
Read 17 tweets
Jan 21, 2019
Advice for getting started speaking at conferences:

Don’t be afraid to throw your hat into the ring. “I have nothing new to say, it’s all been covered” is a myth that I hear beginners perpetuate as a way to talk themselves out of speaking. It's not true.

blog.pythonlibrary.org/2019/01/21/pyd…
What an audience is genuinely interested in is your unique perspective, your story, and the way you tell it. Storytelling is as much a part of a great talk as technical knowledge.
@brandon_rhodes is one of the best storytellers in our community, and his talks are a great resource for becoming familiar with the technique.

You can watch them here: youtube.com/results?search…
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(