PyCon LT 2021 Keynote: Ask a core developer anything

Keynote Ask a core developer anything PyCon LT 2021 /
Vilnius 2021-09-03 Christian Heimes Principal Software Engineer [email protected] / [email protected] @ChristianHeimes

Ask me anything, PyCon LT 2021, @ChristianHeimes, CC BY-SA 4.0
• Introduction • PSF & Python • Pre-submitted questions • core dev questions • security questions • general questions • Live questions Agenda sli.do #765699

You can ask me anything • questions should be related to Python somehow • answers should be of interest for the audience • keep your questions short (20 secs, 3 sentences) • keep it fun and educational, but questions about bad experiences are ok, too. • no politics, no religion, no (too) private questions • I might skip a question if I don't know the answer well enough. Rules

Who am I? • he/him • from Hamburg/Germany • Python core developer, Python security team, PSF Diversity & Inclusion WG • Principal Software Engineer at Red Hat Identity Management and Platform Security

• 1997 Linux user and admin • 2000 network, email, and security admin in students dorm • 2001 Python 2.1, Zope/Plone contributor • 2003 first Python conference (EuroPython in Charleroi/BE) • 2007 Python core dev, PSF member • 2012/13 Python Security Team • 2013 conference speaker • 2015 Red Hat • 2020 Diversity & Inclusion WG Open source career

• math and cmath improvements, float('inf') • Python 3000 • str/bytes split, b'' prefix in Python 2 • forward/backport porting • The “ssl & security guy” • ssl, hashlib module, OpenSSL integration • Security improvements and fixes • PEP 370, 452, 456, 644, 543, 594, 8001 pip install --user Python contribution

PSF & Python

Python Software Foundation Steering Council Python Core Dev Board of Directors D&I WG CoC WG PyPA SIG

The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers. The Python Software Foundation (PSF) is a non-profit membership organization devoted to advancing open source technology related to the Python programming language. Python Software Foundation

• Board of Directors • paid position • event coordinator, director of infrastructure, treasury, ... • Working Groups / Special Interest Groups • Infrastructure, Packaging (PyPA) • Trademark, Legal, Marketing, Bylaws • Diversity & Inclusion • Code of Conduct • Scientific Python, Education Python Software Foundation

• Basic, non-voting members • Supporting members • annual donation $ 99 USD or more • Managing members • 5h/month community or Python ecosystem support • Contributing members • 5h/month for OSS maintainers • Fellow PSF Membership https://www.python.org/psf/membership/

• ~90 "active" core developers • Government • Guido was BDFL until 2018 • Steering Council with 5 members for each release (PEP 8000, 8016, 8100+) • Release Manager Python Core Development

• Python users are from all over the world • most core developers are from North America and West Europe • majority of core developers are white men • PSF board lacks representation from LATAM and SE Asia Diversity & Inclusion WG

Pre-submitted questions

How did you become a core developer?

Who pays for core devs' work? How much is voluntary (on free time) and how much is paid by the employer? (probably varies, but maybe some estimates?)

volunteers

paid in exposure

• PSF sponsors • Łukasz Langa, developer in residence (DIR) • core sprint sponsoring • Employer sponsor • work time • travel time & expenses • Github sponsor, Tidelift • mostly volunteer work Who pays for core development?

How much time do different employers give to core devs to work on open source Python? E.g. Red Hat, Microsoft, Bloomberg, etc.

• Red Hat • Victor Stinner: 100% • Petr Viktorin & Python maintenance team • hardware, upstream and packaging contributions • me: case-by-case, ~ 15 conference days / year • Google, Microsoft, others: 1 day / week (?) • Microsoft: several full time jobs for Faster Python effort • Bloomberg: Pablo 50% for Faster Python effort Company time

As a core dev, how much time do you spend in Python and how much in other languages (e.g. C)?

What new exciting project (maybe imaginary) would you like to work on?

Is there some area/subfield of Python that you feel you don't know too well (as the rest of us mortals)?

What would you magically change for Python if you could? E.g. more core devs, better salaries, more open source time from employers, more non-core dev people...

Security questions

Who are the main developers involved in Python security?

• Release managers: Benjamin, Larry, Ned, Łukasz, Pablo • PyPA / PSF Infra: Ee W. Durbin, Dustin, Pradyun • Vendors • Google: Gregory P. Smith • Microsoft: Steve Dower • Red Hat: Victor Stinner, me • Alex Gaynor, Barry, Glyph, Guido, Serhiy • ... Python Security Response Team

What were the biggest Python vulnerabilities in the past?

Hash collision attack on dictionaries >>> hash('de') 12800076900115529 >>> hash('de') & (8 - 1) 1 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 de

Hash collision attack >>> hash('df') 6672104196504639850 >>> hash('df') & (8 - 1) 2 0 1 2 3 4 5 6 7 de df

Hash collision attack – fixed by PEP 456 >>> hash('cf') & (8 - 1) 1 >>> hash('bg') & (8 - 1) 1 0 1 2 3 4 5 6 7 de cf bg df

Parsing plain text protocols sock = create_connection(('host', 80)) f = sock.makefile() for line in f: name, value = line.split(':', 1) ...

• ssl module: X.509 certificate hostname matching • regular expression denial of service (REDOS) • XML entity extension attacks (XML bomb, file inclusion) • HTTP header parsing • file descriptor inheritance • usual C bugs (buffer overflow, use-after-free, ...) More security vulnerabilities

What are the most common security issues in Python?

• OWASP Top 20 • input validation and sanitation issues (SQL injection attacks) • code injection with eval(), exec(), or __import__() • os.system() and subprocess call with string arguments • insecure or missing TLS/SSL • misuse of cryptography • credential leaks (logging, readable config files, git) • missing security updates • supply chain attacks Security issues in Python applications

Are packages from PyPI safe? No (for some definition of "No")

• free account registration • no project name verification typo squatting → • no code review or scanning on upload • project can contain malicious code • maintainer may accidentally introduce bug • maintainer compromised • maintainer could go rogue and deliberately add a vulnerability • CI/CD pipeline compromised PyPI security

• TUF – The Update Framework • PEP 480 Surviving a compromise of PyPI • PEP 458 Secure PyPI downloads with signed repository metadata • Python wheels • SSSC-SIG (Secure Software Supply Chains for Python) • Shared format for OSS vulnerability data (Google) • Code signing sigstore (Google, Red Hat, et al.) • Code behavior analysis efforts (e.g. Project Toth by Red Hat) PyPI security effort

Any tips how we can protect ourselves against insecure imports in our Python applications?

• review all dependencies and updates • optionally: run your own PyPI mirror with limited packages • use requirements.txt with pins and hashes • run application as unprivileged user with limited permissions and capabilities • read-only code • no root (even in containers) • use systemd security features • Dustin Ingram's PyCon talk "Secure Software Supply Chains" Protection against insecure imports

General questions

What do you love about Python the most?

Which books would you say are must read for Python developer?

Which IDE are you using? Do you use any plugins for making programming easier / more comfortable?

Are you using any website daily for python / programming knowledge improvement?

Questions? @ChristianHeimes [email protected] [email protected] https://speakerdeck.com/tiran/

THANK YOU plus.google.com/+RedHat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHatNews linkedin.com/company/red-hat

PyCon LT 2021 Keynote: Ask a core developer any...

PyCon LT 2021 Keynote: Ask a core developer anything

More Decks by Christian Heimes

Other Decks in Programming

Featured

Transcript