The Python Podcast.__init__

The Update Framework: Securing Your Software Updates with Justin Cappos

Listen Later
Summary

If you write software then there’s a good probability that you have had to deal with installing dependencies, but did you stop to ask whether you’re installing what you think you are? My guest this week is Professor Justin Cappos from the Secure Systems Lab at New York University and he joined me to discuss his work on The Update Framework which was built to guarantee that you never install a compromised package in your systems.

Preface
  • Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.
  • I would like to thank everyone who has donated to the show. Your contributions help us make the show sustainable.
  • When you’re ready to launch your next project you’ll need somewhere to deploy it. Check out Linode at linode.com/podcastinit and get a $20 credit to try out their fast and reliable Linux virtual servers for running your awesome app.
  • Visit our site to subscribe to our show, sign up for our newsletter, read the show notes, and get in touch.
  • To help other people find the show you can leave a review on iTunes, or Google Play Music, and tell your friends and co-workers
  • Your host as usual is Tobias Macey and today I’m interviewing Justin Cappos about The Update Framework, an open spec and reference implementation for mitigating attacks on software update systems.
    • Interview
    • Introduction
    • How did you first get introduced to Python?
    • Please start by explaining what The Update Framework (TUF) is and the problem that you were trying to solve when you created it.
    • How is TUF architected and what led you to choose Python for the reference implementation?
    • TUF addresses the problem of ensuring that the packages that get installed are created by the right developers, but how do you properly establish trust in the first place?
    • Why are consistent and auditable dependencies important for the security of a system and how does TUF help with that goal?
    • What are some of the known attack vectors for a software update system and how do Python and other systems attempt to mitigate these vulnerabilities?
    • One of the perennial problems with any dependency management system is that of transitive dependencies. How does TUF handle this extra complexity of ensuring that all of the secondary, tertiary, etc. dependencies are also properly pinned and trusted?
    • For someone who wants to start using TUF what are the steps to get it set up with pip?
    • How would a project that wants to use TUF, do so?
    • Who is using TUF and when will it be used with PyPI?
      • Keep In Touch
      • https://ssl.engineering.nyu.edu/?utm_source=rss&utm_medium=rss
      • https://ssl.engineering.nyu.edu/personalpages/jcappos/?utm_source=rss&utm_medium=rss
        • Picks
        • Tobias
          • The Enchanted Forest Chronicles


          • Justin

            • Hand Pulled Noodles
            • Lam Zhou


              • Links
              • When the Going Gets Tough, Get TUF Going – PyCon 2016
              • RPM
              • Apt
              • Stork Package Manager
              • Yubikey
              • Distribution Packages Considered Insecure
              • Notary
              • Flynn
              • Uptane
              • in-toto

                • The intro and outro music is from Requiem for a Fish The Freak Fandango Orchestra / CC BY-SA

                ...more
                View all episodesView all episodes
                Download on the App Store
                The Python Podcast.__init__By Tobias Macey
                • 4.4
                • 4.4
                • 4.4
                • 4.4
                • 4.4

                4.4

                100 ratings

                More shows like The Python Podcast.__init__

                View all
                The Changelog: Software Development, Open Source by Changelog Media

                The Changelog: Software Development, Open Source

                283 Listeners

                Data Skeptic by Kyle Polich

                Data Skeptic

                481 Listeners

                Chat With Traders by Tessa Dao

                Chat With Traders

                1,979 Listeners

                Talk Python To Me by Michael Kennedy

                Talk Python To Me

                590 Listeners

                Software Engineering Daily by Software Engineering Daily

                Software Engineering Daily

                622 Listeners

                The TWIML AI Podcast (formerly This Week in Machine Learning & Artificial Intelligence) by Sam Charrington

                The TWIML AI Podcast (formerly This Week in Machine Learning & Artificial Intelligence)

                444 Listeners

                Super Data Science: ML & AI Podcast with Jon Krohn by Jon Krohn

                Super Data Science: ML & AI Podcast with Jon Krohn

                297 Listeners

                Python Bytes by Michael Kennedy and Brian Okken

                Python Bytes

                215 Listeners

                Data Engineering Podcast by Tobias Macey

                Data Engineering Podcast

                141 Listeners

                Machine Learning Guide by OCDevel

                Machine Learning Guide

                764 Listeners

                Syntax - Tasty Web Development Treats by Wes Bos & Scott Tolinski - Full Stack JavaScript Web Developers

                Syntax - Tasty Web Development Treats

                986 Listeners

                DataFramed by DataCamp

                DataFramed

                267 Listeners

                Practical AI by Practical AI LLC

                Practical AI

                192 Listeners

                The Real Python Podcast by Real Python

                The Real Python Podcast

                139 Listeners

                Hard Fork by The New York Times

                Hard Fork

                5,431 Listeners