The Real Python Podcast

Securing Your Python Software Supply Chain With Dustin Ingram

Listen Later

How well do you know your software supply chain? When you PIP install a package, what steps can you take to minimize the risk of installing something malicious? This week on the show, we have Dustin Ingram, a director of the Python Software Foundation (PSF) and a maintainer of the Python Package Index (PyPI).

We talk about Dustin’s PyCon 2021 talk titled “Secure Software Supply Chains for Python”. Dustin shares the types of attacks you should be aware of and how you can make your supply chain more trustworthy. We cover tools, techniques, and best practices.

Dustin also discusses what it takes to keep the Python Package Index running and the players working to keep it going into the future.

Course Spotlight: A Beginner’s Guide to Pip

This course is a great introduction to pip for those who are getting started Python, and for those who want to understand more about what is happening when you install new packages into your environment. It’s a worthy investment of your time to understand the fundamentals of pip.

Topics:

  • 00:00:00 – Introduction
  • 00:01:51 – Developer Advocate at Google
  • 00:04:34 – A director of the PSF
  • 00:06:27 – A maintainer of PyPI
  • 00:12:29 – Secure Software Supply Chains for Python - PyCon 2021
  • 00:15:53 – Do I need to be a security expert as a Python developer?
  • 00:17:23 – Typo-squatting of package names
  • 00:19:46 – Sponsor: Scout APM
  • 00:20:52 – Dependency confusion and private repos
  • 00:26:00 – What are some best practices?
  • 00:31:55 – How to lessen the scale of “I don’t know what I don’t know”?
  • 00:36:33 – Tools and techniques that can help
  • 00:44:11 – Video Course Spotlight
  • 00:45:30 – Namespaces on PyPI
  • 00:53:03 – What does it take to power the Python Package Index?
  • 01:01:57 – What are you excited about in the world of Python?
  • 01:03:55 – What do you want to learn next?
  • 01:05:52 – What is something you thought you knew about Python, but were wrong about it?
  • 01:08:46 – Shout outs and social information
  • 01:10:16 – Thanks and goodbye

    • Show Links:

    • Dustin Ingram: Personal Website
    • Python on Google Cloud
    • Cloud Run: Develop and deploy highly scalable containerized applications on a fully managed serverless platform
    • Python Software Foundation
    • PSF Membership FAQ
    • PyPI: The Python Package Index
    • Secure Software Supply Chains for Python: PyCon 2021 - YouTube
    • pip Documentation: Requirements Files
    • pip Documentation: Hash-Checking Mode
    • PEP-0440: Direct references for pip
    • pip-tools: pip-tools keeps your pinned dependencies fresh
    • PyPA: Python Packaging User Guide
    • The Update Framework (TUF)
    • tuf: A secure updater framework for Python
    • pipx: Install and Run Python Applications in Isolated Environments
    • How to Publish an Open-Source Python Package to PyPI - Real Python Article
    • Poetry: Python packaging and dependency management made easy
    • PyUp: Python Dependency Security
    • Dependabot: Automated dependency updates
    • Why Package Signing is not the Holy Grail: Donald Stufft
    • Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
    • What Is Pip? A Guide for New Pythonistas - Real Python Article
    • A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack
    • Security scanners for Python and Docker: from code to dependencies
    • What does it take to power the Python Package Index?

      • Level up your Python skills with our expert-led courses:

      • A Beginner's Guide to pip
      • How to Publish Your Own Python Package to PyPI
      • Python Modules and Packages: An Introduction

        • Support the podcast & join our community of Pythonistas

        ...more
        View all episodesView all episodes
        Download on the App Store
        The Real Python PodcastBy Real Python
        • 4.7
        • 4.7
        • 4.7
        • 4.7
        • 4.7

        4.7

        136 ratings

        More shows like The Real Python Podcast

        View all
        Software Engineering Radio - the podcast for professional software developers by se-radio@computer.org

        Software Engineering Radio - the podcast for professional software developers

        272 Listeners

        The Changelog: Software Development, Open Source by Changelog Media

        The Changelog: Software Development, Open Source

        283 Listeners

        Thoughtworks Technology Podcast by Thoughtworks

        Thoughtworks Technology Podcast

        41 Listeners

        Talk Python To Me by Michael Kennedy

        Talk Python To Me

        592 Listeners

        Software Engineering Daily by Software Engineering Daily

        Software Engineering Daily

        624 Listeners

        Soft Skills Engineering by Jamison Dance and Dave Smith

        Soft Skills Engineering

        269 Listeners

        Super Data Science: ML & AI Podcast with Jon Krohn by Jon Krohn

        Super Data Science: ML & AI Podcast with Jon Krohn

        298 Listeners

        Python Bytes by Michael Kennedy and Brian Okken

        Python Bytes

        213 Listeners

        Data Engineering Podcast by Tobias Macey

        Data Engineering Podcast

        142 Listeners

        Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

        Syntax - Tasty Web Development Treats

        982 Listeners

        DataFramed by DataCamp

        DataFramed

        266 Listeners

        Kubernetes Podcast from Google by Abdel Sghiouar, Kaslin Fields

        Kubernetes Podcast from Google

        181 Listeners

        Practical AI by Practical AI LLC

        Practical AI

        190 Listeners

        The Stack Overflow Podcast by The Stack Overflow Podcast

        The Stack Overflow Podcast

        64 Listeners

        The Pragmatic Engineer by Gergely Orosz

        The Pragmatic Engineer

        52 Listeners