Search
1000 results for “PyConUK”
-
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
In her #PyConUS keynote, Lynn mentioned that some animals also engage in imaginative play.
You all need to know that #LadyDuchess plays a fun trick on hubby and I.
She'll go to the back door and make it clear she wants to go out.
When one of us gets up, walks over, and opens the door, she literally hop-spins away from the door and prances back to the living room 😆
She'll do it 2 or 3 times in a row. I love that girl 🤣😍
-
Other things to do as maintainers:
- Do a threat model analysis on your own software -- "What isn't a vuln?"
- Create a security policy; github will support a SECURITY.md
- Having a CoC helps set standards for respecting maintainer time
- .well-known/security.txt, look at https://securitytxt.org/
- Handle vuln reporting, as internal tickets, to the best of your ability -
Starting with "Watering Hole Attacks" -- targeting places people are likely to return to.
Shai-Hulud, LiteLLM, Trivy are all examples.
A common loop is:
"Malicious release" -> "Cryptocoins/ransomware/credentials" -> "Get more accounts" -> repeat
Attacks in one ecosystem can spread, because so many companies ship multi-ecosystem packages.
-
Malware reports are going up and to the right -- in fact we're at 4x year over year (🙃)
The people involved (Mike and Seth) have not 4x'd in response.
So let's talk about some of the attacks we're seeing.
-
"AI is changing everything"
Tools are getting much better at finding bugs and defects, so finding these vulns is cheaper, both time and resources.
Reminder: Attackers just have to be correct once, defenders have to be right all the time.
AI has made this asymmetry worse!
-
I have made it to my first talk at #PyConUS
First up: Python Security with @sethmlarson and @miketheman
-
-
It's day 2 of #PyConUS with more tutorials, sponsor talks, and the Expo Hall opens with the opening reception! Can't wait to see y'all there!
-
Not all the #PyConUS posters are up yet, but the ones that are look amazing 🤩
I especially like...
@pamelafox - explains vector embedding visually in a way that finally helped tie everything together in my head. I feel like I actually *understand* the core concepts 1000% better now.
@simon - I love the dozens of little photos demonstrating real uses of #datasette. Now I want to explore all the niche museums within driving distance of home!
#Python is applied a mind-boggling variety of ways!
-
It's time for #PyConUS! We're in Long Beach, California, near one of the most active ports in the world.
As such, Bamboo Weekly's challenges are about the Port of Long Beach — how much traffic it gets, what is imported, and from where.
Level up your #Python and #Pandas: https://BambooWeekly.com
-
Okay #PyConUS peeps, I haven't had lunch and will definitely be looking to get a bite after my ~3 PM check-in. Any recs near the conference center for something light or people in the same position who wanna do late lunch?
