Episode 177: Welcoming PyPI's Safety & Security Engineer Mike Fiedler
The Real Python Podcast
Oct 20, 2023 58m
You may remember a recent Python Package Index (PyPI) announcement about hiring a full-time security engineer. We’ve also mentioned several current security initiatives from PyPI. This week on the show, we talk with Mike Fiedler about accepting this new role and securing accounts on PyPI.
Mike talks about how he started as a contributor to PyPI and eventually became a maintainer. We dig into why he fits this new role well and what his responsibilities are.
We discuss the initiative to secure accounts using two-factor authentication (2FA) methods. Mike also explains how package maintainers can adopt a new, more secure publishing method called trusted publishing that doesn’t require long-lived passwords.
We also discuss Mike’s recent talk called “How to Give Back to Open Source Without Losing Your Mind.” Mike shares advice and resources for finding your own contribution entry points.
Course Spotlight: Publishing Python Packages to PyPI
In this video course, you’ll learn how to create a Python package for your project and how to publish it to PyPI, the Python Package Index. Quickly get up to speed on everything from naming your package to configuring it using setup.cfg
.
Topics:
- 00:00:00 – Introduction
- 00:02:11 – PyPI Safety and Security Engineer
- 00:05:21 – Why did you initially become a PyPI contributor?
- 00:11:26 – What are you most excited about in your new role?
- 00:12:02 – Current security concerns
- 00:15:07 – Focus on malicious package reporting
- 00:16:30 – 2FA enforcement and building trust
- 00:26:51 – Managing credentials and password managers
- 00:29:24 – Forms of 2FA
- 00:31:48 – Trusted publishers
- 00:38:08 – Video Course Spotlight
- 00:39:28 – Updating an older project
- 00:41:44 – Evolution of security
- 00:43:06 – Typosquatting and evolving security
- 00:49:13 – How To Give Back to Open Source Without Losing Your Mind
- 00:52:48 – What are you excited about in the world of Python?
- 00:54:45 – What do you want to learn next?
- 00:57:06 – How can people follow your work online?
- 00:57:37 – Thanks and goodbye
Show Links:
- PyPI hires a Safety & Security Engineer - The Python Package Index
- Inbound Malware Volume Report - The Python Package Index
- 2FA Enforcement for New User Registrations - The Python Package Index
- PyPI 2FA Security Key Giveaway - PyPI
- Software Bill Of Materials - National Telecommunications and Information Administration
- Introducing ‘Trusted Publishers’ - The Python Package Index
- Trusted Publishers - Getting Started - PyPI Docs
- How To Give Back to Open Source Without Losing Your Mind – vBrownBag
- Good First Issues - OpenSauced
- Good First Issues
- Participation - Hacktoberfest 2023
- Python Release Python 3.12.0 - Python.org
- htmx - high power tools for html
- The web framework for perfectionists with deadlines - Django
- The Python Package Index - Blog
- Mike Fiedler, Code Gardener (@miketheman@hachyderm.io) - Fosstodon
- Mike Fiedler, Code Gardener (@mikefiedler) / X
- Mike Fiedler’s personal website