2023-06 + Security Developer-in-Residence (SDIR) ¶

Security Developer-in-Residence – Weekly Report #1 ¶

Welcome to the first report from me fulfilling the role of Security Developer-in-Residence (SDIR).

Since this role serves the Python community I would like to make publishing these reports weekly to give some insights into what I’m working on and thinking about.

Responsibilities and Keys to Success ¶

The SDIR role has a list of concrete responsibilities, among them are:

Conduct a security audit of the PyPI codebase and infrastructure.
Formalize and improve security practices for CPython, PyPI, and the broader Python community.
Address security issues across PSF projects like CPython and PyPI and improve the ability to identify and resolve future issues.
Collaborate with other contributors working on security improvements including with the new PyPI Safety and Security Engineer role to be announced later by the PSF.
Establish metrics on security posture to show impact.

While working on the above responsibilities I’ll be using the below principles to guide my work as SDIR.

Visibility ¶

Security work has the all-too-common issue of if everything is going smoothly then no one knows how much is happening behind the scenes.

This problem of visibility means that it’s more difficult for interested parties to get involved or provide resources.

Part of ensuring current and future success in this area requires talking about what’s getting done and highlighting where there is more opportunity.

Much of the work done by this role will be done in the open, meaning I can tell you all about what has been accomplished.

Look forward to updates on the PSF blog and the new PyPI blog for new security features and improvements from me and the many others working to build a more secure Python ecosystem.

If you have questions about the role or are interested in getting involved please reach out to seth @ python . org .

2023-06-30 Pydantic version 2.0 (2023-06-30) ¶

https://fosstodon.org/@pydantic
https://docs.pydantic.dev/2.0/blog/pydantic-v2-final/
https://github.com/pydantic/pydantic/network/dependents
- https://docs.pydantic.dev/latest/api/networks/
https://github.com/Kludex/awesome-pydantic
https://github.com/jordaneremieff/djantic (Pydantic model support for Django)
https://github.com/litestar-org/polyfactory (Simple and powerful factories for mock data generation)
https://github.com/koxudaxi/datamodel-code-generator (Pydantic model and dataclasses.dataclass generator for easy conversion of JSON, OpenAPI, JSON Schema, and YAML data sources)
https://github.com/ghandic/jsf (Creates fake JSON files from a JSON schema)
https://github.com/lincolnloop/goodconf (Transparently load variables from environment or JSON/YAML/TOML file)
https://litestar.dev/ (Light, Flexible and Extensible ASGI API framework | Effortlessly Build Performant APIs; starlette est un ancêtre de litestar)
https://docs.pydantic.dev/2.0/integrations/devtools/
- https://python-devtools.helpmanual.io/
- https://github.com/samuelcolvin/python-devtools

2023-06-27 Introduction from Security Developer-in-Residence ¶

Hello everyone! :wave:

Last week the PSF announced me as the Security Developer-in-Residence and I wanted to introduce myself and detail how the role relates to CPython.

I’m Seth Larson, I’ve been a contributor to the Python open source ecosystem for a few years mostly maintaining packages like urllib3 and requests.

I also write about open source supply chain security, maintenance, and sustainability as these are topics very close to my heart. I have some knowledge about CPython core development but I am not currently a CPython core developer.

Regarding the role itself, I covered a bit of the “what” and “how” on my own personal blog , but the gist is to make recommendations and take actions to improve the security posture for projects like CPython, PyPI, and the broader Python ecosystem.

For CPython, this will likely focus initially on the Python Security Response Team but will extend to other topics as I plan for the next year in this role. I welcome feedback on potential projects to areas to focus on, please get in touch if you have thoughts.

Additionally if there are other resources/channels that I should be a participant in that I may not be aware of, happy to have them sent my way.

That’s all I have for now, I look forward to collaborating with you all to build a more secure Python ecosystem! :rocket:

2023-06-27 Découverte de Python Conference Deadlines ( https://pythondeadlin.es/?sub=PY,SCIPY,PYDATA,WEB ) de Jesper Dramsch ¶

Python deadlines curates your favourite Python conferences.

This community tool serves as a central repository for deadlines of calls for participitation, proposals, workshops, and tutorials at Python conferences.

The dates are made available as countdowns, in local timezones and even as a Google calendar below!

Deadlines are shown in Europe/Paris time.

To view them in conference website timezones, click on the conference.

You can optionally export all deadlines to Google Calendar or .ics.

Is your favourite conference missing ? Add / edit a conference by sending in a pull request .

Autre site ¶

2023-06-22 Use of tox-dev/pyproject-fmt in .pre-commit.yaml ¶

           - repo: https://github.com/tox-dev/pyproject-fmt
  rev: "0.12.1"
  hooks:
    - id: pyproject-fmt

          

2023-06-22 Extract project information from pyproject.toml ¶

https://github.com/kdeldycke/click-extra/blob/main/docs/conf.py

           import sys
from pathlib import Path

if sys.version_info >= (3, 11):
    import tomllib
else:
    import tomli as tomllib  # type: ignore[import]


project_path = Path(__file__).parent.parent.resolve()

# Fetch general information about the project from pyproject.toml.
toml_path = project_path / "pyproject.toml"
toml_config = tomllib.loads(toml_path.read_text())

# Redistribute pyproject.toml config to Sphinx.
project_id = toml_config["tool"]["poetry"]["name"]
version = release = toml_config["tool"]["poetry"]["version"]
url = toml_config["tool"]["poetry"]["homepage"]
author = ", ".join(
    a.split("<")[0].strip() for a in toml_config["tool"]["poetry"]["authors"]
)

# Title-case each word of the project ID.
project = " ".join(word.title() for word in project_id.split("-"))
htmlhelp_basename = project_id

          

2023-06 Designing Pythonic library APIs ¶

https://benhoyt.com/writings/python-api-design/

2023-06-10 Faire du #Python en 2023, avec un éditeur (Kate ❤️) qui supporte LSP, les annotations de type, les dataclass, et le structural pattern matching, c’est quasi aussi cool que faire du #OCaml 😎 ¶

Et bah franchement, faire du #Python en 2023, avec un éditeur (Kate ❤️) qui supporte LSP, les annotations de type, les dataclass, et le structural pattern matching, c’est quasi aussi cool que faire du #OCaml 😎 (mais avec les avantages de Python en terme de lib, support, etc.).

@tfardet @jpoiret @juliensalort Y a rien à configurer ça juste marche si tu actives le plugin LSP dans Kate et que tu installes les packets nécessaires (sous Debian, python3-pylsp et les plugins python3-pylsp-{mypy,rope,black} par exemple).

https://physfluids.fr/@juliensalort/110517974095837595

@p4bl0 ça apporte quoi LSP exactement ?

J’avais vu qu’on peut installer des trucs dans Jupyter mais c’était pas clair pour moi à quoi ça servait et s’il envoie des données à l’extérieur.

https://types.pl/@jpoiret/110518506777940361

@juliensalort @p4bl0 c’est un protocole standard qui permet de développer les outils d’intégration de language de manière éditeur-agnostique et donc de concentrer tous les efforts sur un meilleur outil d’auto-complétion, refactoring, etc.

Le serveur tourne en local pour des fichiers locaux mais peut tourner sur un serveur si c’est là que sont les fichiers à éditer.

Globalement c’est avec ça que la plupart des intégrations de la languages sont développées maintenant, et python a un bon serveur LSP comme historiquement c’est là que Microsoft a lancé le concept si je dis pas de bêtises.

https://mamot.fr/@p4bl0/110519197379621295

@jpoiret @juliensalort et du coup avec l’extension pour mypy de pylsp, ça fait la vérification de typage (et c’est assez puissant) en temps réel dans l’éditeur aussi. Comme tuareg-mode dans Emacs pour OCaml.

https://social.sciences.re/@tfardet/110520483308280974

@p4bl0 @jpoiret @juliensalort ça m’intéresse pas mal, ça ! tu aurais un tuto pour configurer mypy/pylsp avec kate ?

@tfardet @jpoiret @juliensalort Y a rien à configurer ça juste marche si tu actives le plugin LSP dans Kate et que tu installes les packets nécessaires (sous Debian, python3-pylsp et les plugins python3-pylsp-{mypy,rope,black} par exemple).

@p4bl0 @jpoiret @juliensalort OK, super, effectivement ça à l’air de marcher ! Merci :D

Warning

Je ne l’utilise pas car il n’affiche pas les émojis

2023-06-01 Enforcement of 2FA for upload.pypi.org begins today (2023-06-01) by: Ee Durbin #security #2fa ¶

Beginning today, all uploads from user accounts with 2FA enabled will be required to use an API Token or Trusted Publisher configuration in place of their password.

This change has been planned <https://github.com/pypi/warehouse/issues/7265>|_ since 2FA was rolled out in 2019. In `February of 2022 we began notifying users on upload that this change was coming.

If you have 2FA enabled and have been using only your password to upload, the following email is likely familiar to you:

Initially, we intended for this notice to live for six months before we began enforcement.

However, some valid concerns were raised regarding the use of user-scoped API tokens for new project creation.

With the introduction of Trusted Publishers PyPI now provides a way for users to publish new projects without provisioning a user-scoped token, and to continue publishing without ever provisioning a long lived API token whatsoever.

Given this, and our commitment to further rolling out 2FA across PyPI , we are now enforcing this policy.