A presentation at PyCon UK in in Cardiff, UK by Aaron Bassett
AVOIDING THE "LEFT-PAD" PROBLEM: HOW TO SECURE YOUR PIP INSTALL PROCESS @aaronbassett getadministrate.com
@AARONBASSETT
getadministrate.com
What are packages?
“Most software today is very much like an Egyptian pyramid with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves.” Alan Kay
PRODUCTION
QUALITY ASSURANCE
LOCAL DEVELOPMENT
• 40,000 pages of specifications • 420,000 • 17 lines of code errors in last 11 versions
THE ONLY BUG FREE CODE IS NO CODE
ORPHAN PACKAGES
PIP TOOLS TO THE RESUCE
pip-sync
"LEFT-PAD" PROBLEM
KEEP IT LOCAL
PIP HASH
hashin 0.6.0
• Inspect code before installing • Be your own Pypi • Use pip-compile and pip-sync • Hash all the things
THANK YOU @aaronbassett getadministrate.com
When Azer Koçulu pulled 11 lines of code from npm he not only broke thousands of dependent packages but also prevented developers all over the world from deploying their code. This talk will show how you can harden your pip install process, ensure that packages have not been tampered with, protect against MITM attacks and even how to keep deploying if a package is deleted or if PyPI goes offline.
Here’s what was said about this presentation on social media.
for free. You
can too.