Securing Your Python Software Supply Chain With Dustin Ingram

07/02/21 • 71 min

How well do you know your software supply chain? When you PIP install a package, what steps can you take to minimize the risk of installing something malicious? This week on the show, we have Dustin Ingram, a director of the Python Software Foundation (PSF) and a maintainer of the Python Package Index (PyPI).

We talk about Dustin’s PyCon 2021 talk titled “Secure Software Supply Chains for Python”. Dustin shares the types of attacks you should be aware of and how you can make your supply chain more trustworthy. We cover tools, techniques, and best practices.

Dustin also discusses what it takes to keep the Python Package Index running and the players working to keep it going into the future.

Course Spotlight: A Beginner’s Guide to Pip

This course is a great introduction to pip for those who are getting started Python, and for those who want to understand more about what is happening when you install new packages into your environment. It’s a worthy investment of your time to understand the fundamentals of pip.

Topics:

00:00:00 – Introduction
00:01:51 – Developer Advocate at Google
00:04:34 – A director of the PSF
00:06:27 – A maintainer of PyPI
00:12:29 – Secure Software Supply Chains for Python - PyCon 2021
00:15:53 – Do I need to be a security expert as a Python developer?
00:17:23 – Typo-squatting of package names
00:19:46 – Sponsor: Scout APM
00:20:52 – Dependency confusion and private repos
00:26:00 – What are some best practices?
00:31:55 – How to lessen the scale of “I don’t know what I don’t know”?
00:36:33 – Tools and techniques that can help
00:44:11 – Video Course Spotlight
00:45:30 – Namespaces on PyPI
00:53:03 – What does it take to power the Python Package Index?
01:01:57 – What are you excited about in the world of Python?
01:03:55 – What do you want to learn next?
01:05:52 – What is something you thought you knew about Python, but were wrong about it?
01:08:46 – Shout outs and social information
01:10:16 – Thanks and goodbye

Show Links:

Dustin also discusses what it takes to keep the Python Package Index running and the players working to keep it going into the future.

Course Spotlight: A Beginner’s Guide to Pip

Topics:

00:00:00 – Introduction
00:01:51 – Developer Advocate at Google
00:04:34 – A director of the PSF
00:06:27 – A maintainer of PyPI
00:12:29 – Secure Software Supply Chains for Python - PyCon 2021
00:15:53 – Do I need to be a security expert as a Python developer?
00:17:23 – Typo-squatting of package names
00:19:46 – Sponsor: Scout APM
00:20:52 – Dependency confusion and private repos
00:26:00 – What are some best practices?
00:31:55 – How to lessen the scale of “I don’t know what I don’t know”?
00:36:33 – Tools and techniques that can help
00:44:11 – Video Course Spotlight
00:45:30 – Namespaces on PyPI
00:53:03 – What does it take to power the Python Package Index?
01:01:57 – What are you excited about in the world of Python?
01:03:55 – What do you want to learn next?
01:05:52 – What is something you thought you knew about Python, but were wrong about it?
01:08:46 – Shout outs and social information
01:10:16 – Thanks and goodbye

Show Links:

Previous Episode

Practicing Python With CSV Files and Extracting Values With "filter()"

Are you ready to practice your Python skills some more? There is a new set of practice problems prepared for you to tackle, and this time they’re based on working with CSV files. This week on the show, David Amos is back, and he’s brought another batch of PyCoder’s Weekly articles and projects.

David shares an article about functional programming with a focus on the “filter” function. The tutorial covers how to process an iterable and extract the items that satisfy a given condition. It also covers combining filter with other functional tools, and compares it to coding with Pythonic tools like list comprehensions and generator expressions.

We cover several other articles and projects from the Python community including, Excel, Python, and the future of data science, a Bayesian analysis of Lego prices in Python, why can’t comments appear after a line continuation character, teaching Python on the Raspberry Pi400 at the public library, a cross-platform editor designed for writing novels built with Python and Qt, and a text user interface with rich as the renderer.

Spotlight: Python vs JavaScript for Python Developers

Python and JavaScript are two of the most popular programming languages in the world. In this course, you’ll take a deep dive into the JavaScript ecosystem by comparing Python vs JavaScript. You’ll learn the jargon, language history, and best practices from a Python developer’s perspective.

Topics:

00:00:00 – Introduction
00:02:29 – Excel, Python, and the Future of Data Science
00:07:50 – Python Practice Problems: Parsing CSV Files
00:17:09 – Sponsor: Digital Ocean’s App Platform
00:17:45 – A Bayesian Analysis of Lego Prices in Python With PyMC3
00:23:02 – Why Can’t Comments Appear After a Line Continuation Character?
00:28:40 – Python’s filter(): Extract Values From Iterables
00:34:57 – Video Course Spotlight
00:36:24 – How I Teach Python on the Raspberry Pi 400 at the Public Library
00:46:23 – novelWriter: Cross-Platform Editor Designed for Writing Novels Built With Python and Qt
00:48:02 – textual: A Text User Interface With Rich as the Renderer
00:54:58 – Thanks and goodbye

Show Links:

Excel, Python, and the Future of Data Science – What’s the most widely used tool in data science? Is it pandas or NumPy? Is it the Python language itself? Not really. It’s Excel. You might argue that data scientists aren’t using Excel as their primary tool, and you might be right. But Excel enables non-technical users, like small business owners, to gain insights into their data. In this article, Anaconda CEO Peter Wang discusses his goal of making Python and PyData the “conceptual successor” to Excel.

Python Practice Problems: Parsing CSV Files – In this tutorial, you’ll prepare for future interviews by working through a set of Python practice problems that involve CSV files. You’ll work through the problems yourself and then compare your results with solutions developed by the Real Python team.

A Bayesian Analysis of Lego Prices in Python With PyMC3 – Follow along with this in-depth analysis of LEGO prices to see Bayesian analysis in action. Along the way, you’ll how pooled and unpooled linear models can be used to determine if a LEGO set is fairly priced. The article is quite technical, so experience with Bayesian statistics is recommended.

Why Can’t Comments Appear After a Line Continuation Character? – Chaining together many object methods can create long tines that break the PEP 8 79-character line length recommendation. You can use \ to break the chain of methods onto individual lines, but if you want to leave comments at the end of some of the lines, you’re out of luck. There’s another pattern, though, that solves this.

Python’s filter(): Extract Values From Iterables – In this step-by-step tutorial, you’ll learn how Python’s filter() works and how to use it effectively in your programs. You’ll also learn how to use list comprehension and generator expressions to replace filter() and make your code more Pythonic.

How I Teach Python on the Raspberry Pi 400 at the Public Library – Community-based programming courses are a great way to introduce folks to computer programming that otherwise may not have the...

Next Episode

Exploring the functools Module and Complex Numbers in Python

Are you ready to expand your Python knowledge into the intermediate to advanced territory? What tools are awaiting your discovery inside Python’s functools module? This week on the show, David Amos is back, and he’s brought another batch of PyCoder’s Weekly articles and projects.

We discuss an article about the functools module, which adds functionality for caching, function overloading, better definitions for decorated functions, and more. David talks about a new Real Python article about working with complex numbers in Python. We also cover a tutorial about troubleshooting memory problems in Python.

We cover several other articles and projects from the Python community including, DevOps interview questions, correlation analysis in Python, pivot and plot data with pandas, how to use Python and OpenCV to play online chess with a real chessboard, and generating hardware pinout diagrams as SVG images.

Course Spotlight: Python Decorators 101

In this course on Python decorators, you’ll learn what they are and how to create and use them. Decorators provide a simple syntax for calling higher-order functions in Python. By definition, a decorator is a function that takes another function and extends the behavior of the latter function without explicitly modifying it.

Topics:

00:00:00 – Introduction
00:01:56 – The Future of FastAPI and Pydantic Is Bright
00:04:33 – Simplify Complex Numbers With Python
00:10:37 – Functools: The Power of Higher-Order Functions in Python
00:18:40 – Sponsor: Sentry
00:19:42 – How to Pivot and Plot Data With Pandas
00:23:06 – devops-exercises: DevOps Interview Questions
00:32:09 – Video Course Spotlight
00:33:25 – Correlation Analysis 101 in Python
00:39:28 – How to Troubleshoot Memory Problems in Python
00:46:16 – Use Python and OpenCV to Play Online Chess With a Real Chessboard
00:49:28 – pinout: Generate Hardware Pinout Diagrams as SVG Images
00:54:21 – Thanks and goodbyes

Show Links:

The Future of FastAPI and Pydantic Is Bright – Not long ago there was some chatter on the internet about a change in Python 3.10 that would impact Python projects that check types at runtime. The discussion centered around FastAPI and Pydantic and had some folks worried about the future of those projects. In this article, FastAPI’s creator explains what the discussion was all about and why the future of FastAPI and Pydantic remains bright.

Simplify Complex Numbers With Python – In this tutorial, you’ll learn about the unique treatment of complex numbers in Python. Complex numbers are a convenient tool for solving scientific and engineering problems. You’ll experience the elegance of using complex numbers in Python with several hands-on examples.

Functools: The Power of Higher-Order Functions in Python – The functools module is one of the “hidden gems” of the Python standard library. This article takes you on a tour of everything in functools. You’ll learn how to implement caching, function overloading, and a whole lot more.

How to Pivot and Plot Data With Pandas – One of the challenges of working with data is knowing how to manipulate the data format for a particular analysis. And there’s no single correct format. You need to know how to melt, pivot, and transpose data into a format that fits whatever you’re analyzing. If you enjoy this article, be sure to also check out Stefanie’s Pandas Workshop.

devops-exercises: DevOps Interview Questions

Correlation Analysis 101 in Python – Correlation analysis is a useful part of exploratory data analysis. It can help you identify potential relationships between various features of your data. In this helpful guide, you’ll learn how to do correlation analysis in a pandas DataFrame. You’ll see how to display a correlation matrix as a heatmap and explore some guidelines for identifying when correlation might imply causation.

How to Troubleshoot Memory Problems in Python – Memory problems can be frustrating. They’re hard to diagnose and fix, and memory issues in Python applications can be especially frustrating thanks to the lan...