#pycon — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #pycon, aggregated by home.social.
-
Remember to use your scaffolding to keep students in that zone of proximal development, and *always* reflect! - Elizabeth Bacon @ the #pycon Education Summit
-
When we design instruction, we must think about what kinds of cognitive processes we want students to engage in and what kinds of authentic tasks encourage that process.
Motivate students with context, explain how the skill is really used, scaffold enough for students to complete a meaningful portion of the task, and then assess/reflect on it. - Elizabeth Bacon @ the #pycon Education Summit
-
We still have many authentic skills and practices that students will be very much expected to use as future developers, including the decomposition, using documentation, and communication! - Elizabeth Bacon @ the #pycon Education Summit
-
CS Students have always been able to copy from StackOverflow, so giving the right answer without understanding is not new. However, students are newly extra-tempted to offload cognitive work in ways that do not serve them well, and there are distractions with screens. - Elizabeth Bacon @ the #pycon Education Summit
-
We ate lunch, I'm awake, and up next at the #pycon Education Summit is Elizabeth Bacon with a talk on Scaffolding CS Activities! 🎉
-
Other things to do as maintainers:
- Do a threat model analysis on your own software -- "What isn't a vuln?"
- Create a security policy; github will support a SECURITY.md
- Having a CoC helps set standards for respecting maintainer time
- .well-known/security.txt, look at https://securitytxt.org/
- Handle vuln reporting, as internal tickets, to the best of your ability -
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
@elthenerd likely too late to help you now, but I’m told that the extra entrances are locked today but will be open Fri-Sun. The entrance on Pine Street should be open all day today tho! #PyCon
-
@elthenerd likely too late to help you now, but I’m told that the extra entrances are locked today but will be open Fri-Sun. The entrance on Pine Street should be open all day today tho! #PyCon
-
@elthenerd likely too late to help you now, but I’m told that the extra entrances are locked today but will be open Fri-Sun. The entrance on Pine Street should be open all day today tho! #PyCon
-
@elthenerd likely too late to help you now, but I’m told that the extra entrances are locked today but will be open Fri-Sun. The entrance on Pine Street should be open all day today tho! #PyCon
-
@elthenerd likely too late to help you now, but I’m told that the extra entrances are locked today but will be open Fri-Sun. The entrance on Pine Street should be open all day today tho! #PyCon
-
So you’re saying Long Beach was thrown together in a real hurry and may not be of high quality? Bold to crow about it.
(I am /assuming/ this branding is some years old and is not an attempt to announce #PyCon’s Friday AI track, but it’s still funny.)
-
So you’re saying Long Beach was thrown together in a real hurry and may not be of high quality? Bold to crow about it.
(I am /assuming/ this branding is some years old and is not an attempt to announce #PyCon’s Friday AI track, but it’s still funny.)
-
So you’re saying Long Beach was thrown together in a real hurry and may not be of high quality? Bold to crow about it.
(I am /assuming/ this branding is some years old and is not an attempt to announce #PyCon’s Friday AI track, but it’s still funny.)
-
So you’re saying Long Beach was thrown together in a real hurry and may not be of high quality? Bold to crow about it.
(I am /assuming/ this branding is some years old and is not an attempt to announce #PyCon’s Friday AI track, but it’s still funny.)