English languageDom Weldon
I asked myself a question: “what happens when you import something in python?” The answer was not as simple as I thought. In this talk, I’ll share what I learnt, and discuss why this is vital for security, before sharing opinions on tooling, especially the use of the Poetry alternative PDM, in 2024.
Python has a rich ecosystem of open source packages available to assist with almost any conceivable requirement. Installing, using, and updating these packages should be quick, easy, and secure, however, dependency management and python packaging has historically been a source of frustration for developers, particularly with the added complications of virtual environments, and subtle differences between python versions. Furthermore, software supply chain security has attracted particular importance of late as increasing numbers of major vulnerabilities have been discovered requiring fast, sometimes immediate, mitigation.
In recent years, efforts have been made to improve packaging and dependency management in python, and we have seen the release of a number of developer tools, including Poetry, pipenv, and pipx. These work alongside pip and earlier tools such as disutils, setuptools, and easy_install, and offer higher level interfaces for developers to work with. In 2020, a new tool was released called PDM (Python Dependency Manager), and is gaining traction amongst developers in recent years.
This talk will start by giving an overview of how python imports work, before moving on to cover a brief history of package management in python, and an overview of the current state of play, and the vulnerabilities that we are exposed to by supply chain attacks. We’ll then give a brief introduction to PDM, before discussing what practical steps we can take to both improve our developer experiences, and ensure the code we write is modern, secure, and maintainable.
We’ll ask questions including some of the below.
* What actually happens ‘under the hood’ when we use the import statement?
* How many different ways can we import a package in python?
* What does a dependency manager do, and how does it work?
* What does a supply chain attack look like, and how do we try and stop them happening?
Finally, the speaker will offer an opinionated guide to some of the best python tooling and package management setups available to python developers in 2024.