Now on at #PyconUS2022 is @di_codes talking about Securing the Open Source Supply Chain.
ABC’s of software supply chain
Artifact: ie a file on PyPi
Attestation: evidence or proof that something happened
Advisory: public disclosure, CVEs
Build: build process produces artifacts
Certificate: easier now, with LetsEncrypt
Digest: hash digest, not reversible
Ephemeral: used once and thrown away (in context of cryptographic keys and signing)
F: Fuzzing (vary inputs)
G: Google
Hardware keys: best path for 2FA
Identity: unique and verifiable
Joe Biden: Executive Order
Key: verify signature by keyholder
Lockfile: pipfile.lock
Money: software costs money to make, especially free and open source. Elevating security chain won’t come for free. Orgs need to commit money
Non-forgeable: content of attestation can’t be modified
Open ID Connect: verify and exchange identities
Provenance: history of an artifact
Policy: describe expectations
Remediation: fix what’s wrong, ideally easy or automatic
Signature: proof keyholder was in possession of key
Transparency Log: public immutable record of signs of attestation
Vulnerability: bug in software with security consequences
Use pip-audit for a run down of vulnerabilities in your project.
Run it on your laptop now to see if you have any installed vulnerabilities.
Announcement:
- Coming soon to PyPI: voluntary 2FA for collaborators!!
- 2FA mandate for critical projects (Top 1% of projects)
- Giving away 4K Google Titan keys to maintainers of critical projects (soon!)
- Credentials publication via OIDC
- PEP480
Open SSF - new multi organization non profit part of Linux Foundation working on supply chain security. Members include Google (and Microsoft!)
On now at #PyCon#PyConUS2022: Brandt Bucher on Python’s Structural Pattern Matching. He works at Microsoft working on improving Python performance with @gvanrossum.
Advice for getting started speaking at conferences:
Don’t be afraid to throw your hat into the ring. “I have nothing new to say, it’s all been covered” is a myth that I hear beginners perpetuate as a way to talk themselves out of speaking. It's not true.
What an audience is genuinely interested in is your unique perspective, your story, and the way you tell it. Storytelling is as much a part of a great talk as technical knowledge.
@brandon_rhodes is one of the best storytellers in our community, and his talks are a great resource for becoming familiar with the technique.