Explore the evolving landscape of open source security, emphasizing the need for wider collaboration among experts. Discover how AI tools are enhancing security assessments while keeping the mood light. Delve into the latest updates in Python management and installation features, making development smoother. Join a fun quiz about f-strings alongside a celebration of Django's anniversary. Lastly, meet Toad, a new project set to revolutionize terminal experiences while teasing the quirks of cloud billing in tech.
22:34
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
insights INSIGHT
Collaborative Open Source Security
Open source security work shouldn't be isolated to core project maintainers only.
Security experts contributing across projects can share knowledge and improve overall security.
volunteer_activism ADVICE
Building Trust in Security Contributors
Build trust in security contributors by recognizing their track record and community involvement.
Meeting contributors in person or verifying their contributions builds confidence in security work.
volunteer_activism ADVICE
Use AI for Security Reviews
Use AI tools to assist with security code reviews and evaluate impacts of code changes.
AI can provide a helpful second opinion, though not perfectly, to enhance security understanding.
Get the Snipd Podcast app to discover more snips from this episode
Join us on YouTube at pythonbytes.fm/live to be part of the audience. Usually Monday at 10am PT. Older video versions available there too.
Finally, if you want an artisanal, hand-crafted digest of every week of the show notes in email form? Add your name and email to our friends of the show list, we'll never share it.
It seems like security is special in a sense that we don’t want just anyone working on the security aspect of a project. We just want the trusted maintainers, right?
Seth is arguing that this is the wrong mindset
It makes more sense that we maybe have security experts contribute to many projects, and that someone working on security for just one project doesn’t benefit from scale.
“Maintainers don’t see how other projects are triaging vulnerabilities and can’t learn from each other. They can’t compare notes on what they are seeing and whether they are doing the right thing. Isolation in security work breeds a culture of fear. Fear of doing the wrong thing and making your users unsafe.”
“These “security contributors” could be maintainers or contributors of other open source projects that know about security, they could be foundations offering up resources to their ecosystem, or engineers at companies helping their dependency graph.”
But how do we build trust in these individuals?
Meeting in person works.
But there are other ways as well.
I’d personally love to have someone contact me about a project of mine regarding a security problem or process that the project could/should follow. Especially if I could see other projects I trust already trusting this individual to work on the other projects.
Python Bytes