The Real Python Podcast

Welcoming PyPI's Safety & Security Engineer Mike Fiedler

Oct 20, 2023

This week, Mike Fiedler, PyPI's Safety & Security Engineer, talks about how he started as a contributor and became a maintainer. They discuss securing accounts using 2FA and a new publishing method called trusted publishing. Mike also shares advice on giving back to open source.

58:31

Creator website

Episode guests

Mike Fiedler

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Implementing two-factor authentication (2FA) on PyPI is crucial for preventing account takeovers and ensuring platform security.

Trusted publishing on PyPI, using OpenID Connect (OIDC) metadata, enhances security by eliminating the need for long-lived tokens and allowing only authorized publishers to upload packages.

Raising awareness and encouraging users to enable 2FA through email campaigns and publishing notifications is a key step towards making 2FA mandatory for all PyPI users by the end of 2023.

Deep dives

The Role of a Security Engineer at PyPI

Mike Feidler discusses his role as a Safety and Security Engineer at PyPI, which is responsible for maintaining the Python Package Index. He talks about the importance of securing the accounts of PyPI users and making the platform safe for everyone.

Introduction

2min

The Role of a Safety and Security Engineer at PyPI

18min

The Importance of Using 2FA to Prevent Account Takeover Attacks

12min

Trusted Publishers and OIDC

11min

Exploring the Threat of Typo Squatting and Recommendations for Protection

4min

Challenges in Ensuring Python Supply Chain Security and Community Involvement

2min

Discussion about Contributing to Open Source and Finding Beginner-Friendly Issues

3min

Python 3.12 Release and Performance Improvements

6min

You may remember a recent Python Package Index (PyPI) announcement about hiring a full-time security engineer. We’ve also mentioned several current security initiatives from PyPI. This week on the show, we talk with Mike Fiedler about accepting this new role and securing accounts on PyPI.

Mike talks about how he started as a contributor to PyPI and eventually became a maintainer. We dig into why he fits this new role well and what his responsibilities are.

We discuss the initiative to secure accounts using two-factor authentication (2FA) methods. Mike also explains how package maintainers can adopt a new, more secure publishing method called trusted publishing that doesn’t require long-lived passwords.

We also discuss Mike’s recent talk called “How to Give Back to Open Source Without Losing Your Mind.” Mike shares advice and resources for finding your own contribution entry points.

Course Spotlight: Publishing Python Packages to PyPI

In this video course, you’ll learn how to create a Python package for your project and how to publish it to PyPI, the Python Package Index. Quickly get up to speed on everything from naming your package to configuring it using setup.cfg.

Topics:

00:00:00 – Introduction
00:02:11 – PyPI Safety and Security Engineer
00:05:21 – Why did you initially become a PyPI contributor?
00:11:26 – What are you most excited about in your new role?
00:12:02 – Current security concerns
00:15:07 – Focus on malicious package reporting
00:16:30 – 2FA enforcement and building trust
00:26:51 – Managing credentials and password managers
00:29:24 – Forms of 2FA
00:31:48 – Trusted publishers
00:38:08 – Video Course Spotlight
00:39:28 – Updating an older project
00:41:44 – Evolution of security
00:43:06 – Typosquatting and evolving security
00:49:13 – How To Give Back to Open Source Without Losing Your Mind
00:52:48 – What are you excited about in the world of Python?
00:54:45 – What do you want to learn next?
00:57:06 – How can people follow your work online?
00:57:37 – Thanks and goodbye

Show Links:

Level up your Python skills with our expert-led courses:

Support the podcast & join our community of Pythonistas

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

The Real Python Podcast

Welcoming PyPI's Safety & Security Engineer Mike Fiedler

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

The Role of a Security Engineer at PyPI

The Initiative to Implement Two-Factor Authentication

The Adoption of Trusted Publishing

The Transition to Mandatory 2FA

Contributing to Open Source and Enhancing Security

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

The Real Python Podcast

Welcoming PyPI's Safety & Security Engineer Mike Fiedler

Episode guests

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

The Role of a Security Engineer at PyPI

The Initiative to Implement Two-Factor Authentication

The Adoption of Trusted Publishing

The Transition to Mandatory 2FA

Contributing to Open Source and Enhancing Security

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights