Recent attacks targeting major open source repositories such as npm and PyPI have cast a spotlight on a critical issue: the software supply chain is increasingly vulnerable. Attackers are leveraging the trust and collaborative nature of open source ecosystems, deploying malicious versions of popular packages to exploit users and systems.
These incidents underscore the urgent need for enhanced security protocols and vigilant practices within the open source community, especially considering that 96% of today’s codebases contain some open source software.
Watch this fireside chat featuring special guest Dustin Ingram, as we discuss the importance of establishing trust and reinforcing security within open source repositories, the proactive steps being taken by these repositories and their dependent organizations, and the broader implications for the open source ecosystem as a whole.
We cover:
- The imperative for enhanced trust and security in light of recent supply chain attacks
- The nature and variety of today’s threats
- Initiatives like Trusted Publishing for PyPI, in collaboration with key partners, aimed at fortifying the publishing process
- The central role played by repositories in the open source ecosystem and maintaining the balance between security and user convenience
- Future directions in securing public repositories, including the integration of software attestations
- Demonstration of securely publishing packages using ActiveState’s Trusted Publisher integration with PyPI
Whether you’re concerned with your organization’s use of open source, a seasoned developer or a community advocate, get the front row seat for how open source repos can be secured for everyone.
Presenters
Dustin Ingram, Fellow, Python Software Foundation
Dustin is a staff software engineer on Google’s Open Source Security Team, where he works on improving the security of open-source software that Google & the rest of the world relies on. He’s a Python Software Foundation Fellow, where he helps ensure the long-term success of one very big open-source Python project you've probably heard of: Python itself, as well as the community around it. He's also a maintainer of the Python Package Index, where he helps ensure the long-term success of hundreds of thousands of tiny Python projects, many of which you've probably never heard of, but play a critical role in the Python ecosystem.
Pete Garcin, Director of Product, ActiveState
Pete has more than 15 years of software development experience in open source and games. He earned his undergraduate degree at the University of Waterloo, and an MA in Communication from Carleton University in Ottawa. He is passionate about engaging with communities and dedicated to enhancing developers’ experiences.