Security 101 for package maintainers

Glab the slides:

Are you a package maintainer?

Or do you use an open source library?

Name a library that you use everyday - a popular one

Now imagine you are maintaining that library

One day you wake up...

And discover that your GitHub account has been compromised!!

Baddies got your log in and everything...

What's worse, they can now publish a "new release" of your library that could be used by a lot of unalarmed people

Now you have put a lot of people, organizations and companies at risk...

This is not good!

Luckily, it hasn't happened... yet!


We need to do something to avoid it at all cost!!!

Security 101


a crash course about how to protect yourself and everyone

There are a few ways baddies can get you

  • Did you use the same password everywhere?
  • Did you use 2FA?
  • Did you use SMS 2FA?
  • Is your email account secure?

1. Don't let baddies get your account

Secure your account by

  • Setting a strong password and using password managers
  • Activate 2FA - but not SMS 2FA
  • Keep recovery code safe - not with together with passwords
  • Use gmail or outlook email rather than personal domains for your account
  • API token is better than login details

2. Better governance

Consider the "bus factor" or "don't put all eggs in one basket"

One-person-band is not great!

A governance team with different roles are better 👍

Each role has right permission

3. An exit plan!!

It's ok to step down, but we need a plan

Ideally someone can take over

  • Does your project have multiple owners?
  • Do you have other trusted contributors?
  • Or consider donating it to a trusted organization

Transfer of ownership

  • Avoid orphan packages
  • Deactivate your account if you have stepped down
  • But don't delete packages!!!!

Thank you

Seth Michael Larson

Security Developer-in-Residence at the Python Software Foundation


Check out the blog post

Thank you

OpenSSF and Alpha-Omega

For supporting PSF to have Seth to help us


Glab the slides:

Thank you ❤️

...and please join the networking event tonight and chat with me


I have stickers 🙌

Security 101 for package maintainers

By Cheuk Ting Ho

Security 101 for package maintainers

  • 170