#pyconus — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #pyconus, aggregated by home.social.
-
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
So what can package maintainers do to help?
Know who to call: [email protected] and [email protected]
Look into Zizmor, then CodeQL, Semgrep, Fuzzer, LLM
-
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
Next Goal: Improving Python Ecosystem Vuln response capacity
This means:
- Threat model guide (@sethmlarson is sprinting on this!)
- Scanning projects
- Sec. Engineer time to respond more
- Incident response that's more than just "when Seth and Mike are working" -
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
How else are Watering Hole Attacks being mitigated?
- Trusted Reporters / Auto-Quarantine
- More Trusted Publishing providers
- sudo mode and more scoped privileges
- "Staged Releases"
- "Secure Distributions" for CPythonMore Trusted Publishing Providers is desired! Warehouse is open source and PRs are welcome.
-
Just presented at EduSummit #PyConUS
"Your slides, but faster:
Building an AI-powered presentation workflow"https://pamelafox.github.io/ai-powered-presentation-workflow/
Tips: Use RevealJS, ASCII mockups, audits, agent skills -
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
At current pace, there will be 65 CVEs that affect the #python package ecosystem this year.
This is easily 3x-4x previous years.
One response to this is PEP-811: defining a Python security response team, membership and responsibilities (https://peps.python.org/pep-0811/)
This makes it easier to add more members and spread the load.
One result already in place: a formal vulnerability report response framework, uniting Github security policies and docs and the security response team.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Another new feature that's started mitigating risk: Dependency cooldowns.
Available in pip 26.1 and uv, dependabot, renovate, cooldowns set a time period that a package release needs to be live before installing it. Most attack releases are resolved in 24 hours, so having a cooldown period really helps mitigation.
-
Our plane landing at #pyconus. Taken by a pymug member (Nythienzo) on ground!
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
PyPI has also done a second audit! Funded by the Sovereign Tech Agency, and performed by @trailofbits
This was focused on the PyPI software itself, and was completed in 2023.
-
@pamelafox 's prez about slides with agents at #pyconus was compelling as always
-
I just finished giving my talk at the #PyConUS education summit, "Vibe teaching: #Python training in the age of AI."
What fun!
I've uploaded the slides: https://speakerdeck.com/reuven/vibe-teaching-python-training-in-the-age-of-ai-pycon-us-2026-education-summit
-
Good morning #PyConUS! FYI: #pyladies auction donations are due today and you'll need to fill out: https://docs.google.com/forms/d/e/1FAIpQLSciOIX5Omvwn8i41xI9zmBhljcuC6Soz-ryMRLL6RIDdC2yfQ/viewform
And don't forget to come to the auctionon Sat night! Dinner will be served and tickets here: https://us.pycon.org/2026/events/pyladies-auction/
-
#PyConUS One of my fondest memories of PyCon in Pittsburgh a few years ago was meeting up with a bunch of fellow pythonistas for a run through the park by the river. Now we get to do it by the ocean! Anyone interested in joining me for a run tomorrow morning? Gotta get out early enough to get breakfast afterward. I’m thinking maybe meet at the convention center entrance at 7am? 3-4 miles, relaxed pace.
-
Registered. Not signed up for tutorials today. Going to spend time hanging in the hallways now that I found a handy outlet to charge my laptop.
-
If someone tells you to go outside the doors to get to seaside. You may not be allowed to come back. Please avoid. #PyconUS
-
EduSummit is now happening at #PyconUS !
https://us.pycon.org/2026/events/education-summit/
I'll be giving a lightning talk and tutorial in the afternoon. Join us.
-
-
What does PyCon US have in store today?
Will it be as cool as these sweet shiny ones I pulled last night during the MTG draft @crazy4pi314 hosted last night?
They'll be hosting another draft on Sunday if you're interested.
-
What does PyCon US have in store today?
Will it be as cool as these sweet shiny ones I pulled last night during the MTG draft @crazy4pi314 hosted last night?
They'll be hosting another draft on Sunday if you're interested.
-
What does PyCon US have in store today?
Will it be as cool as these sweet shiny ones I pulled last night during the MTG draft @crazy4pi314 hosted last night?
They'll be hosting another draft on Sunday if you're interested.
-
What does PyCon US have in store today?
Will it be as cool as these sweet shiny ones I pulled last night during the MTG draft @crazy4pi314 hosted last night?
They'll be hosting another draft on Sunday if you're interested.
-
What does PyCon US have in store today?
Will it be as cool as these sweet shiny ones I pulled last night during the MTG draft @crazy4pi314 hosted last night?
They'll be hosting another draft on Sunday if you're interested.