S4 EP14 | 讓開源軟體更安全：Python 基金會安全開發駐地工程師 Seth 的幕後努力 feat. Seth

從供應鏈安全到 PyPI 信任發布：Seth 如何守護 Python 生態系｜PyCast S4EP14🎧🎶
Python 生態系日益壯大，開源軟體安全成為全球焦點。本集邀請 PyCon TW 2024 主題講者 Seth Larson，他是 Python 軟體基金會 (PSF) 的駐地安全開發工程師。這個相對新的職位因應全球對開源軟體安全意識的提升而生，尤其其影響已擴及關鍵基礎設施、政府及大型企業。Seth 將帶我們深入了解他在 PSF 的核心工作，包括提升 Python 語言、pip 等工具的安全性，並努力改善整個生態系的資安態勢。他不僅處理日常資安挑戰，更致力於建立長遠機制與社群協作，使開源軟體面對惡意攻擊時更具韌性。
🔖 本集 Highlight
• PSF 核心使命：推廣、保護 Python，並支持整個社群發展。
• 「駐地工程師」職位的重要性：全職投入處理資安問題，填補志工難以承擔的會議、閱讀及長期規劃工作。
• 供應鏈安全：深入探討 CIA 三要素（機密性、完整性、可用性）及其在軟體供應鏈中防禦竄改的應用。
• PyPI「信任發布者」（Trusted Publishers）的成功實踐：無需密碼或 API 金鑰即可安全發布，已獲 1 萬 7 千個 PyPI 專案採用，大幅提升安全性，並啟發 Ruby、npm 等其他生態系。
• 跨生態系合作：透過 OpenSSF（開放原始碼安全基金會）與 Ruby、npm 等其他開源社群分享資安經驗與工具。
• 「資安應是預設值」的願景：新手使用者不應需要思考資安問題，因為安全性應是自動且內建的功能。
• 應對歐盟「網路韌性法案」（CRA）：PSF 正積極建立標準與工具，協助開源專案維護者輕鬆符合法規要求，如軟體物料清單（SBOM）與漏洞修復。
• 「幽靈依賴」（phantom dependencies）的挑戰：Python 科學與 AI 社群中常見的非 Python 依賴項造成的資安盲區，以及相關標準化的需求。
• 資安工作者的「溝通」超能力：Seth 如何因應不同受眾（政府、志工、非技術人員）調整溝通方式，確保資訊有效傳達並建立信任與協作。
• 與 Python 資安響應團隊（PSRT）的協作：改善志工團隊處理高敏感性漏洞報告的流程，並在緊急情況下提供支持。
Seth 的工作不僅是解決當前的資安問題，更是為 Python 社群打造一個更具韌性、人人都能安心使用的未來。如果你對開源軟體安全、大型專案維護或跨社群合作感興趣，千萬不要錯過這一集！

S4 EP14 | Making Open Source Software More Secure: Behind the Scenes with Seth, PSF Security Developer in Residence feat. Seth

From Supply Chain Security to PyPI Trusted Publishers: How Seth Protects the Python Ecosystem | PyCast S4EP14🎧🎶
As the Python ecosystem continues its rapid growth, the security of open-source software has emerged as a critical global concern. This episode is proud to host Seth Larson, a keynote speaker at PyCon TW 2024 and the Python Software Foundation's (PSF) Security Developer in Residence. This pivotal, relatively new role was established in direct response to the escalating global awareness of open-source software security, particularly its profound impact on critical infrastructure, government entities, and major corporations. Seth will provide an exclusive look into his fundamental work at the PSF, which includes fortifying the security of the Python language itself and essential tools like pip. Beyond addressing immediate security challenges, his mission broadly aims to elevate the overall security posture of the entire Python ecosystem. He is dedicated to not only tackling daily threats but also building enduring mechanisms and fostering robust community collaboration to enhance the resilience of open-source software against malicious attacks.
🔖 Episode Highlights
• PSF's Core Mission: Discover how the Python Software Foundation works to promote, protect, and support the vibrant development of the Python community.
• The "Developer in Residence" Role Explained: Understand the crucial need for a full-time commitment to tackling security challenges, a role designed to fill gaps that volunteers often cannot, from attending critical meetings and extensive research to long-term strategic planning.
• Deep Dive into Supply Chain Security: Explore the foundational CIA triad—Confidentiality, Integrity, and Availability—and how these principles are applied to vigorously defend against tampering throughout the software supply chain.
• PyPI's Game-Changing "Trusted Publishers": Learn about this highly successful security feature enabling secure publishing without relying on vulnerable passwords or API keys. Adopted by over 17,000 PyPI projects, it has dramatically boosted security and serves as an inspiration for other ecosystems, including Ruby and npm.
• Fostering Cross-Ecosystem Collaboration: Discover how Seth facilitates the sharing of vital security experiences and cutting-edge tools with other leading open-source communities, such as Ruby and npm, through the OpenSSF (Open Source Security Foundation).
• The Vision of "Security by Default": Envision a future where security is so seamlessly integrated that new users don't need to actively consider it—it's simply an automatic, built-in feature of the Python experience.
• Proactive Response to the EU's Cyber Resilience Act (CRA): The PSF is diligently creating standards and developing practical tools to empower open-source project maintainers to effortlessly comply with forthcoming regulations, including requirements for Software Bill of Materials (SBOM) and efficient vulnerability remediation. (Note: Seth emphasizes that he is not a lawyer and this information should not be considered legal advice).
• Addressing "Phantom Dependencies": Uncover the critical security blind spots introduced by non-Python dependencies, prevalent in the scientific and AI communities, and the urgent need for new standardization efforts to tackle this unique challenge.
• The "Communication Superpower" of Security Pros: Learn how Seth masterfully adapts his communication style to effectively engage diverse audiences—from government officials to dedicated volunteers and non-technical stakeholders—ensuring clear information transfer, building trust, and fostering crucial collaboration.
• Synergistic Collaboration with the Python Security Response Team (PSRT): Discover how Seth enhances the operational efficiency of volunteer teams, enabling them to better handle highly sensitive vulnerability reports and providing essential support during emergency situations.
Seth's impactful work extends far beyond merely resolving immediate security concerns; he is fundamentally dedicated to forging a more resilient and secure future for the entire Python community, ensuring that everyone can utilize it with confidence and peace of mind. If you are passionate about open-source software security, the intricacies of maintaining large-scale projects, or the power of cross-community collaboration, this episode is an absolute must-listen!

Powered by Firstory Hosting