home.social

Search

1000 results for “pycon”

  1. Brad L. :verified: @[email protected] ·

    Today's note promoting @pythonbynight's excellent talk at North Bay PyCon:

    #fuck_ai #ai #llm

    divisionbyzero.net/notes/2026-

    #fuck_ai #ai #llm
  2. phildini @[email protected] ·

    So what can package maintainers do to help?

    Know who to call: [email protected] and [email protected]

    Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM

    #PyConUS #PyCon

    #pyconus #pycon
  3. phildini @[email protected] ·

    So what can package maintainers do to help?

    Know who to call: [email protected] and [email protected]

    Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM

    #PyConUS #PyCon

    #pyconus #pycon
  4. phildini @[email protected] ·

    So what can package maintainers do to help?

    Know who to call: [email protected] and [email protected]

    Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM

    #PyConUS #PyCon

    #pyconus #pycon
  5. phildini @[email protected] ·

    So what can package maintainers do to help?

    Know who to call: [email protected] and [email protected]

    Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM

    #PyConUS #PyCon

    #pycon #pyconus
  6. phildini @[email protected] ·

    So what can package maintainers do to help?

    Know who to call: [email protected] and [email protected]

    Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM

    #PyConUS #PyCon

    #pyconus #pycon
  7. phildini @[email protected] ·

    Next Goal: Improving Python Ecosystem Vuln response capacity

    This means:
    - Threat model guide (@sethmlarson is sprinting on this!)
    - Scanning projects
    - Sec. Engineer time to respond more
    - Incident response that's more than just "when Seth and Mike are working"

    #PyConUS #PyCon

    #pyconus #pycon
  8. phildini @[email protected] ·

    Next Goal: Improving Python Ecosystem Vuln response capacity

    This means:
    - Threat model guide (@sethmlarson is sprinting on this!)
    - Scanning projects
    - Sec. Engineer time to respond more
    - Incident response that's more than just "when Seth and Mike are working"

    #PyConUS #PyCon

    #pyconus #pycon
  9. phildini @[email protected] ·

    Next Goal: Improving Python Ecosystem Vuln response capacity

    This means:
    - Threat model guide (@sethmlarson is sprinting on this!)
    - Scanning projects
    - Sec. Engineer time to respond more
    - Incident response that's more than just "when Seth and Mike are working"

    #PyConUS #PyCon

    #pyconus #pycon
  10. phildini @[email protected] ·

    Next Goal: Improving Python Ecosystem Vuln response capacity

    This means:
    - Threat model guide (@sethmlarson is sprinting on this!)
    - Scanning projects
    - Sec. Engineer time to respond more
    - Incident response that's more than just "when Seth and Mike are working"

    #PyConUS #PyCon

    #pycon #pyconus
  11. phildini @[email protected] ·

    Next Goal: Improving Python Ecosystem Vuln response capacity

    This means:
    - Threat model guide (@sethmlarson is sprinting on this!)
    - Scanning projects
    - Sec. Engineer time to respond more
    - Incident response that's more than just "when Seth and Mike are working"

    #PyConUS #PyCon

    #pyconus #pycon
  12. phildini @[email protected] ·

    How else are Watering Hole Attacks being mitigated?

    - Trusted Reporters / Auto-Quarantine
    - More Trusted Publishing providers
    - sudo mode and more scoped privileges
    - "Staged Releases"
    - "Secure Distributions" for CPython

    More Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.

    #PyConUS #PyCon

    #pyconus #pycon
  13. phildini @[email protected] ·

    How else are Watering Hole Attacks being mitigated?

    - Trusted Reporters / Auto-Quarantine
    - More Trusted Publishing providers
    - sudo mode and more scoped privileges
    - "Staged Releases"
    - "Secure Distributions" for CPython

    More Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.

    #PyConUS #PyCon

    #pyconus #pycon
  14. phildini @[email protected] ·

    How else are Watering Hole Attacks being mitigated?

    - Trusted Reporters / Auto-Quarantine
    - More Trusted Publishing providers
    - sudo mode and more scoped privileges
    - "Staged Releases"
    - "Secure Distributions" for CPython

    More Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.

    #PyConUS #PyCon

    #pyconus #pycon
  15. phildini @[email protected] ·

    How else are Watering Hole Attacks being mitigated?

    - Trusted Reporters / Auto-Quarantine
    - More Trusted Publishing providers
    - sudo mode and more scoped privileges
    - "Staged Releases"
    - "Secure Distributions" for CPython

    More Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.

    #PyConUS #PyCon

    #pycon #pyconus
  16. phildini @[email protected] ·

    How else are Watering Hole Attacks being mitigated?

    - Trusted Reporters / Auto-Quarantine
    - More Trusted Publishing providers
    - sudo mode and more scoped privileges
    - "Staged Releases"
    - "Secure Distributions" for CPython

    More Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.

    #PyConUS #PyCon

    #pyconus #pycon
  17. phildini @[email protected] ·

    At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.

    This is easily 3x-4x previous years.

    One response to this is PEP-811: defining a Python security response team, membership and responsibilities (peps.python.org/pep-0811/)

    This makes it easier to add more members and spread the load.

    One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.

    #PyConUS #PyCon

    #python #pyconus #pycon
  18. phildini @[email protected] ·

    At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.

    This is easily 3x-4x previous years.

    One response to this is PEP-811: defining a Python security response team, membership and responsibilities (peps.python.org/pep-0811/)

    This makes it easier to add more members and spread the load.

    One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.

    #PyConUS #PyCon

    #python #pyconus #pycon
  19. phildini @[email protected] ·

    At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.

    This is easily 3x-4x previous years.

    One response to this is PEP-811: defining a Python security response team, membership and responsibilities (peps.python.org/pep-0811/)

    This makes it easier to add more members and spread the load.

    One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.

    #PyConUS #PyCon

    #python #pyconus #pycon
  20. phildini @[email protected] ·

    At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.

    This is easily 3x-4x previous years.

    One response to this is PEP-811: defining a Python security response team, membership and responsibilities (peps.python.org/pep-0811/)

    This makes it easier to add more members and spread the load.

    One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.

    #PyConUS #PyCon

    #pycon #pyconus #python
  21. phildini @[email protected] ·

    At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.

    This is easily 3x-4x previous years.

    One response to this is PEP-811: defining a Python security response team, membership and responsibilities (peps.python.org/pep-0811/)

    This makes it easier to add more members and spread the load.

    One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.

    #PyConUS #PyCon

    #python #pyconus #pycon
  22. phildini @[email protected] ·

    Another new feature that's started mitigating risk: Dependency cooldowns.

    Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.

    #PyConUS #PyCon

    #pyconus #pycon
  23. phildini @[email protected] ·

    Another new feature that's started mitigating risk: Dependency cooldowns.

    Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.

    #PyConUS #PyCon

    #pyconus #pycon
  24. phildini @[email protected] ·

    Another new feature that's started mitigating risk: Dependency cooldowns.

    Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.

    #PyConUS #PyCon

    #pyconus #pycon
  25. phildini @[email protected] ·

    Another new feature that's started mitigating risk: Dependency cooldowns.

    Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.

    #PyConUS #PyCon

    #pycon #pyconus
  26. phildini @[email protected] ·

    Another new feature that's started mitigating risk: Dependency cooldowns.

    Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.

    #PyConUS #PyCon

    #pyconus #pycon
  27. phildini @[email protected] ·

    PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits

    This was focused on the PyPI software itself, and was completed in 2023.

    #PyConUS #PyCon

    #pyconus #pycon
  28. phildini @[email protected] ·

    PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits

    This was focused on the PyPI software itself, and was completed in 2023.

    #PyConUS #PyCon

    #pyconus #pycon
  29. phildini @[email protected] ·

    PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits

    This was focused on the PyPI software itself, and was completed in 2023.

    #PyConUS #PyCon

    #pyconus #pycon
  30. phildini @[email protected] ·

    PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits

    This was focused on the PyPI software itself, and was completed in 2023.

    #PyConUS #PyCon

    #pycon #pyconus
Next page