Are you a package maintainer?

Name a library that you use everyday - a popular one

One day you wake up...

Baddies got your log in and everything...

Now you have put a lot of people, organizations and companies at risk...

Security 101

a crash course about how to protect yourself and everyone

There are a few ways baddies can get you

• Did you use the same password everywhere?
• Did you use 2FA?
• Did you use SMS 2FA?
• Is your email account secure?

1. Don't let baddies get your account

Secure your account by

• Setting a strong password and using password managers
   
• Activate 2FA - but not SMS 2FA
   
• Keep recovery code safe - not with together with passwords
   
• Use gmail or outlook email rather than personal domains for your account
   
• API token is better than login details

2. Better governance

Consider the "bus factor" or "don't put all eggs in one basket"

One-person-band is not great!

Each role has right permission

3. An exit plan!!

It's ok to step down, but we need a plan

Ideally someone can take over

• Does your project have multiple owners?
   
• Do you have other trusted contributors?
   
• Or consider donating it to a trusted organization

Transfer of ownership

• Avoid orphan packages
   
• Deactivate your account if you have stepped down
   
• But don't delete packages!!!!

Thank you

Seth Michael Larson

Security Developer-in-Residence at the Python Software Foundation

Check out the blog post

Thank you

OpenSSF and Alpha-Omega

For supporting PSF to have Seth to help us

• Part of the Linux Foundation
• Focus on Open Source Security
• Not for Profit
• Security newsletters and blog
• Free courses:
  • Secure Software Development Fundamentals
  • Securing Your Software Supply Chain with Sigstore
  • Securing Projects with OpenSSF Scorecard

Join our DevRel community

Meeting every 2nd Thursday of the month

Get involved:

• Join Slack (#devrel-community)
• Mailing list
• Subscribe to our YouTube Channel

• Follow us on Mastodon

• Follow us on Twitter

• Follow us on LinkedIn

• Follow us on Facebook

Glab the slides:
slides.com/cheukting_ho/security-101-for-package-maintainers

Thank you ❤️

...and please join the networking event tonight and chat with me

I have stickers　🙌