Back in January 2023 the PSF announced they were hiring a Security Developer-in-Residence (abbreviated as SDIR) following the success of the model used for the CPython Developer-in-Residence. Immediately after reading this news I was over-the-moon excited for Python's future. Attacks on the software supply chain have been on the rise and given Python’s position as one of the most popular programming ecosystems it is a critical time to invest in security and the safety of our community.
I'm honored to have been selected by the PSF to be the inaugural SDIR. The Python community is such a positive part of my life, so I'm grateful for this incredible opportunity to contribute back. I'm looking forward to partnering with all of you to build a more secure Python ecosystem for everyone.
Responsibilities and Keys to Success
The SDIR role has a list of concrete responsibilities, among them are:
- Conduct a security audit of the PyPI codebase and infrastructure.
- Formalize and improve security practices for CPython, PyPI, and the broader Python community.
- Address security issues across PSF projects like CPython and PyPI and improve the ability to identify and resolve future issues.
- Collaborate with other contributors working on security improvements including with the new PyPI Safety and Security Engineer role to be announced later by the PSF.
- Establish metrics on security posture to show impact.
While working on the above responsibilities I’ll be using the below principles to guide my work as SDIR.
Sustainability
As an open source maintainer myself I know that very few people get into contributing to open source because they want to implement security best practices. Most people want to contribute to a topic or project that they're passionate about. In an ideal world that's all you'd need to worry about, but in reality we're making security decisions every day like reviewing pull requests, picking a 2FA method, and deciding who to onboard onto projects.
Many of the new security initiatives and tools for open source have gotten something right: that adoptability
and developer experience are one of the most important parts of building anything to improve security
in the open source ecosystem. This will be key for me when considering recommendations for the community.
There will always be high-uncertainty components in complex systems people involved in open source, so we won't be able to make every improvement happen without
some churn, but as much as possible this should be minimized in order to have a larger adoption and impact.
Being full-time means there is a unique opportunity to make improvements that require a consistent and long-term commitment like collaborating with external organizations, keeping up to date with new standards, and advocating for Python's perspective with other open source ecosystem security folks. Doing this work and making the outputs available should help unblock further downstream improvements without putting the time burden on volunteers.
Clarity
The open source software security landscape has been experiencing an explosion of new initiatives, technologies, and requirements. It can be tough to keep up with what is happening, especially as someone volunteering their limited time. I plan on immersing myself even further in the ecosystem to help figure out what might work best for the Python ecosystem given the unique use-cases and challenges we’re facing today.
I can't do it alone, though! There are smart folks in every corner of open source that know much more than me about their area of interest. This role isn’t meant to be an absolute expert in any one area and there is so much we can learn from each other. Get in contact if you'd like to share or collaborate on a particular area or topic.
Visibility
Security work has the all-too-common issue of if everything is going smoothly then no one knows how much is happening behind the scenes. This problem of visibility means that it’s more difficult for interested parties to get involved or provide resources. Part of ensuring current and future success in this area requires talking about what’s getting done and highlighting where there is more opportunity.
Much of the work done by this role will be done in the open, meaning I can tell you all about what has been accomplished. Look forward to updates on the PSF blog and the new PyPI blog for new security features and improvements from me and the many others working to build a more secure Python ecosystem.
If you have questions about the role or are interested in getting involved please reach out to seth@python.org.
Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.
This work is licensed under 
