Avoiding the "left-pad" problem: How to secure your pip install process

A presentation at PyCon UK in September 2016 in Cardiff, UK by Aaron Bassett

Slide 1

AVOIDING THE "LEFT-PAD" PROBLEM: HOW TO SECURE YOUR PIP INSTALL PROCESS @aaronbassett getadministrate.com

Slide 2

@AARONBASSETT

Slide 3

getadministrate.com

Slide 4

What are packages?

Slide 5

Slide 6

“Most software today is very much like an Egyptian pyramid with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves.” Alan Kay

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

PRODUCTION

Slide 20

QUALITY ASSURANCE

Slide 21

LOCAL DEVELOPMENT

Slide 22

Slide 23

• 40,000 pages of specifications • 420,000 • 17 lines of code errors in last 11 versions

Slide 24

THE ONLY BUG FREE CODE IS NO CODE

Slide 25

Slide 26

Slide 27

Slide 28

ORPHAN PACKAGES

Slide 29

PIP TOOLS TO THE RESUCE

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

pip-sync

Slide 36

"LEFT-PAD" PROBLEM

Slide 37

KEEP IT LOCAL

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

PIP HASH

Slide 47

Slide 48

Slide 49

hashin 0.6.0

Slide 50

• Inspect code before installing • Be your own Pypi • Use pip-compile and pip-sync • Hash all the things

Slide 51

THANK YOU @aaronbassett getadministrate.com