Who’s Keeping the Python Ecosystem Safe?
PITTSBURGH — Mike Fiedler’s official title in his role at the Python Software Foundation is “PyPI safety and security engineer.” But unofficially, he’s given himself a humbler moniker: “code gardener.”
What, pray tell, is a code gardener?
Fiedler gave himself that descriptor, he said in this On the Road episode of The New Stack Makers, recorded at PyCon US in May, back in the days when developers who worked on open source projects gave themselves “silly titles for the things we were doing.” But it turns out, there’s nothing funny about the work of a code gardener.
In a sense, he “pulls the weeds” that crop up in a project over time, he said — handling the nonsexy parts of open source contribution.”
“It’s important, but a lot of people aren’t don’t find that as interesting,” Fiedler said. “I think there’s always this aspect of gardening or weeding out things of your code.”
Since August, Fiedler has been digging into the Python Package Index, or PyPI, at the Python Software Foundation. His work is being funded by Amazon Web Services.
See Something? Say Something.
Python is memory-safe. But the open source nature of Python means that “when it comes to the ecosystem, there are lots of packages or third-party modules that people want to include,” Fiedler said. “And those should be vetted by people who are installing them. Before you install and deploy your software to production, you should take a moment to see, is this Kosher?”
At the Python Software Foundation, Fiedler focuses on improving the security of the package index and its ecosystem. That includes not just that the packages themselves are free of malware but that the pipeline itself is secure.
In other words, he elaborated, “The supply chain security aspect of it: that we will deliver the right package the right bits on a disk that you asked for every single time. And if they change, all sorts of like bells and whistles should go off at that point.”
Among Fiedler’s first acts upon starting his job last summer was enforcing two-factor authentication (2FA) on all user accounts. The foundation has enabled 2FA a couple of years earlier. “But we didn’t have a plan, going forward to specifically get everybody on board,” he said. “it was more of an opt-in.“
He embarked on a community awareness campaign getting the word out via podcasts and blog posts; when 2FA became mandatory for users on January 1, the transition was smooth.
Tapping the community has also helped to keep PyPI safe, he said. “We partner along with a lot of security researchers and the public in general, [for a] ‘if you see something, say something’ aspect, to build out this community of folks who are well invested in scouring all of these packages for signals that look fishy. And then they escalate those signals and report them back to us. And we verify and remove those malicious packages.”
In late 2023, the foundation embarked on a security audit by Trail of Bits, supported by the Open Technology Fund, diving deep into the PyPI codebase and its deployment tools. The results didn’t reveal that PyPI was “clean as a whistle because there’s always something to do,” Fiedler said. But there were no major fires to put out — just a few medium-sized vulnerabilities that were remediated quickly.
“There weren’t big gaping holes, there were just some extra doors,” he said. Locking up those doors will increase the platform’s security. The results are available for review on the PyPI.org website.
Check out the full video for more details on how Fiedler’s work at the Python Software Foundation helps keep the Python ecosystem safe.
