Dustin Ingram Profile picture
@google open source security team, @thepsf director, @pypi maintainer. he/him
Jun 30, 2022 33 tweets 12 min read
hey I want to tell y'all a story:

"the time I tried to kill python 2.6, and the lessons I learned about open source"

I've been sitting on this for a long time, but figure it's probably time to share

funny enough, this story starts with me trying to SUPPORT python 2.6 ... so, I was at an interview many years ago, at a python shop. after they asked me all their questions, I got to ask them some. this was at a time when many places were transitioning from 2 to 3, so I asked:

"what version of Python do you use?"

and they said:

"1.8"

...wat
Dec 1, 2021 10 tweets 5 min read
Today I’m announcing the first stable release of a project that’s been in the works for a few months:

pip-audit: a tool for identifying Python packages with known vulnerabilities.

pypi.org/p/pip-audit/ pip-audit is a bit different from existing vulnerability detection tooling.

First, it's the first tool to use vulnerability data directly from @pypi, via a new feature of PyPI's JSON API.

warehouse.pypa.io/api-reference/…
Jul 1, 2021 28 tweets 7 min read
oh looks like I got early access to github copilot, time to explore my favorite genre of humor: making computers do dumb things bad news for the rest of us
Apr 23, 2020 11 tweets 3 min read
Today we merged support on @pypi for PEP 592, adding the ability to "yank" releases, and for installers to determine which releases have been "yanked"! Nice!

...but, uh, what is a "yanked" release, you might ask?

(1\11) First let's talk about pinning dependencies, a pattern that's generally considered best practice for dependency management.

Pinning (or locking) dependencies means that you won't get automatically upgraded to the latest release when you do an installation or deployment.

(2/11)
Aug 14, 2019 9 tweets 2 min read
Some researchers downloaded all of @pypi (!) and parsed the source of every package (!!!)

Some insights below 👇

(1/9) Insight #1: PyPI is growing.

Compound Annual Growth Rate (CAGR) for new packages, active packages, new releases, and new authors are all in the double-digits:

• New packages: 43.28%
• Active packages: 47.31%
• New releases: 51.21%
• New authors: 39.30%

(2/9)