aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
  • Tools
  • About
  • DevOps
  • Programming

PyCon 2019 | Building Reproducible Python Applications For Secured Environments

  • root
  • July 25, 2019
  • 2 minute read

PyCon 2019 | Building reproducible Python applications for secured environments

Speaker: Kushal Das

 

We all have to package Python based applications for various environments, starting from command line tools, to web applications. And depending on the users, it can be installed on thousands on computers or on a selected few systems. https://pypi.org is our goto place for finding any dependencies and also in most of the time we install binary wheels directly from there, thus saving a lot time.

But, Python is also being used in many environments where security is the utter most important, and validating the dependencies of project is also very critical along with the actual project source code. Many of noticed the recent incident where people were being able to [steal bticoins using a popular library](https://www.theregister.co.uk/2018/11… talk will take [SecureDrop client application](https://github.com/freedomofpress/sec…) for journalists as an example project and see how we tried to tackle the similar problem. SecureDrop is an Open Source whistleblower system which is deployed over 75 news organizations all over the world. Our threat model has nation state actors as possible threats, so, security and privacy of the users of the system is a very important point of the whole project. The tools in this case are build and packaged into reproducible Debian deb packages and are installed on Qubes OS in the final end user systems.

There are two basic ways we handle Python project dependencies, for most of the development work, we use a virtualenv, and directly install the dependencies using wheels built from pypi.org. When we package the application for the end users, many times we package them using a operating system based package manager and ask the users to install using those (say RPM or Debian’s deb package). In the second case, all the dependencies come as separate packages (and most of the time from the OS itself). The dependency is being handled by the OS package manager itself. That case, we can not update the dependencies fast enough if required, it depends on the packagers from the community who maintains those said packages in the distribution.

Read More  How To Install And Configure Neo4J In Ubuntu

We use [dh-virtualenv](https://dh-virtualenv.readthedocs.io/…) project to help us to use our own wheels + a virtualenv for the project to be packaged inside the debian .deb package. This talk will go throuh [the process](https://github.com/freedomofpress/sec…) of building wheels from known (based on sha256sum) source tarballs, and then having a gpg signed list of updated wheels and [a private index](https://github.com/freedomofpress/sec…) for the same. And also how we are verifying the wheels’ sha256sum (and the signature of that list) during the build process. The final output is reproducible Debian packages.

 

Slides can be found at: https://speakerdeck.com/pycon2019 and https://github.com/PyCon/2019-slides

root

Related Topics
  • PyCon
  • Python
  • Security
You May Also Like
View Post
  • DevOps
  • Engineering
  • People

2022 State Of DevOps Report Data Deep Dive: Good Team Culture

  • March 29, 2023
View Post
  • DevOps
  • Engineering

Verify POST Endpoint Availability With Uptime Checks

  • March 24, 2023
View Post
  • Automation
  • Programming

Learn Expect By Writing And Automating A Simple Game

  • March 14, 2023
View Post
  • Automation
  • Computing
  • DevOps

The Good And Bad Of ‘Zero-Touch’ Cloud Operations

  • February 23, 2023
View Post
  • DevOps
  • Software Engineering
  • Tools

Are Your CICD And DevOps Tools Really Helping Developers?

  • February 22, 2023
SQL
View Post
  • Data
  • Programming

Infrastructure from Code: the New Wave of Cloud Infrastructure Management

  • February 16, 2023
View Post
  • DevOps

How Multicloud Changes DevOps

  • February 15, 2023
View Post
  • Programming

Go 1.20 Is Released!

  • February 13, 2023

Stay Connected!
LATEST
  • 1
    Kubernetes K8s.gcr.io Redirect: What You Need To Know As An Anthos Or GKE User
    • March 30, 2023
  • 2
    Oracle Helidon Taps Virtual Threads For ‘Pure Performance’
    • March 29, 2023
  • 3
    2022 State Of DevOps Report Data Deep Dive: Good Team Culture
    • March 29, 2023
  • 4
    Google Data Cloud & AI Summit : In Less Than 12 Hours From Now
    • March 29, 2023
  • 5
    A 5-Minute Tour Of The Fediverse
    • March 28, 2023
  • 6
    Bringing Observability To Cloud Security
    • March 28, 2023
  • 7
    How AI Can Improve Digital Security
    • March 27, 2023
  • 8
    Docker’s Bad Week
    • March 27, 2023
  • 9
    My First Pull Request At Age 14
    • March 24, 2023
  • 10
    AWS Chatbot Now Integrated Into Microsoft Teams
    • March 24, 2023
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • 1
    Introducing GPT-4 In Azure OpenAI Service
    • March 21, 2023
  • 2
    IBM And Fundación Ikerbasque Partner To Launch Groundbreaking Quantum Computational Center
    • March 24, 2023
  • 3
    Cleveland Clinic And IBM Unveil First Quantum Computer Dedicated To Healthcare Research
    • March 20, 2023
  • 4
    Verify POST Endpoint Availability With Uptime Checks
    • March 24, 2023
  • 5
    Oracle Cloud Infrastructure to Increase the Reliability, Efficiency, and Simplicity of Large-Scale Kubernetes Environments at Reduced Costs
    • March 20, 2023
  • /
  • Platforms
  • Architecture
  • Engineering
  • Programming
  • Tools
  • About

Input your search keywords and press Enter.