Security 101 for package maintainers

Cheuk Ting Ho

@cheukting_ho@fosstodon

Cheukting

https://cheuk.dev

@cheuktingho

Glab the slides:
slides.com/cheukting_ho/security-101-for-package-maintainers

Are you a package maintainer?

Or do you use an open source library?

Name a library that you use everyday - a popular one

Now imagine you are maintaining that library

One day you wake up...

And discover that your GitHub account has been compromised!!

Baddies got your log in and everything...

What's worse, they can now publish a "new release" of your library that could be used by a lot of unalarmed people

Now you have put a lot of people, organizations and companies at risk...

This is not good!

Luckily, it hasn't happened... yet!

We need to do something to avoid it at all cost!!!

Security 101

a crash course about how to protect yourself and everyone

There are a few ways baddies can get you

Did you use the same password everywhere?
Did you use 2FA?
Did you use SMS 2FA?
Is your email account secure?

1. Don't let baddies get your account

Secure your account by

Setting a strong password and using password managers
Activate 2FA - but not SMS 2FA
Keep recovery code safe - not with together with passwords
Use gmail or outlook email rather than personal domains for your account
API token is better than login details

2. Better governance

Consider the "bus factor" or "don't put all eggs in one basket"

One-person-band is not great!

A governance team with different roles are better 👍

Each role has right permission

3. An exit plan!!

It's ok to step down, but we need a plan

Ideally someone can take over

Does your project have multiple owners?
Do you have other trusted contributors?
Or consider donating it to a trusted organization

Transfer of ownership

Avoid orphan packages
Deactivate your account if you have stepped down
But don't delete packages!!!!

Thank you

Seth Michael Larson

Security Developer-in-Residence at the Python Software Foundation

Check out the blog post

Thank you

OpenSSF and Alpha-Omega

For supporting PSF to have Seth to help us

Join our DevRel community

Meeting every 2nd Thursday of the month

Get involved:

Glab the slides:
slides.com/cheukting_ho/security-101-for-package-maintainers

Thank you ❤️

...and please join the networking event tonight and chat with me

I have stickers　🙌

Security 101 for package maintainers

By Cheuk Ting Ho

Security 101 for package maintainers

Cheuk Ting Ho

Developer advocate / Data Scientist - support open-source and building the community.

Security 101 for package maintainers

Are you a package maintainer?

Name a library that you use everyday - a popular one

Now imagine you are maintaining that library

One day you wake up...

And discover that your GitHub account has been compromised!!

What's worse, they can now publish a "new release" of your library that could be used by a lot of unalarmed people

Now you have put a lot of people, organizations and companies at risk...

This is not good!

Security 101

a crash course about how to protect yourself and everyone

There are a few ways baddies can get you

1. Don't let baddies get your account

Secure your account by

2. Better governance

One-person-band is not great!

A governance team with different roles are better 👍

Each role has right permission

3. An exit plan!!

Ideally someone can take over

Transfer of ownership

Thank you

Thank you

Thank you ❤️

Security 101 for package maintainers

More from Cheuk Ting Ho