Episode 150: Dustin Ingram and the Open Source Security Team at Google
vor 3 Jahren
Dustin talks about the Open Source Security Team at Google, what
they do, the bill they’ve contributed to for Securing Open Source
Software Act of 2022, a rewards program they have to pay
maintainers called SOS Rewards, and Google’s role in the sigstore
p
Podcast
Podcaster
Beschreibung
vor 3 Jahren
Guest Dustin Ingram Panelists Richard Littauer | Justin Dorfman
Show Notes Hello and welcome to Sustain! The podcast where we talk
about sustaining open source for the long haul. Joining us today is
Dustin Ingram, who’s a Staff Software Engineer on Google’s Open
Source Security Team, where he works on improving the security of
open source software that Google and the rest of the world relies
on. He’s also the director of the Python Software Foundation and
maintainer of the Python Package Index. Today, we’ll learn about
the Open Source Security Team at Google, what they do, the bill
they’ve contributed to for Securing Open Source Software Act of
2022, a rewards program they have to pay maintainers called SOS
rewards, and Google’s role in the Sigstore project. Also, Dustin
talks about the Python Package Index, he shares his opinion on the
difference between security and sustainability, and what he’s most
excited about with work going on in the next year or two. Download
this episode now to find out more! [00:01:10] Dustin fills us in on
the Open Source Security Team at Google, what they do there, how
they prioritize which packages to work on, and which security bugs
to work on. [00:03:25] We hear about the team at Google working on
the bill 4913 Securing Open Source Software Act of 2022. [00:04:18]
Justin brings up Dan Lorenc and Sigstore, and we learn Google’s
role in this project and making sure it’s adopted more heavily in
the supply chain. [00:06:05] Dustin explains the model on how
Google is working to make sure these projects stick together, and
he tells us how an open source maintainer can make their code more
reliable by going to Sigstore and other sites to talk to people.
[00:09:26] How does Google prioritize and choose which projects are
the most important and where they’re going to dedicate developer
time to do that work? [00:11:02] Dustin works on the Python Package
Index, and he explains what it is, and with the PSF, how many
directors they have, and how much he interfaces with other people
there. [00:12:17] We hear how Dustin dealt with the fallout from
the backlash that happened during the mandatory multifactor
authentication for the critical projects. [00:16:52] When it comes
to security, Richard wonders if Dustin has put a lot of thought
into different grades of where it exists and who it’s for, as well
as if there’s a ten to fifty year plan for the maintainers who move
on to do other things and people are not going to be developing at
all. [00:19:13] Are there plans around educations for maintainers
and communities on how to onboard new maintainers and how to
increase security without increasing load time for the maintainers
working on their projects? [00:20:21] We hear what the Securing
Open Source Software Act is all about. [00:22:21] Now that open
source is the dominant distribution, Dustin shares his thoughts on
if open source will stop working and explains the real strength of
open source. [00:24:09] Richard brings up the US government trying
to secure their supply chain, working with future maintainers, code
packages, working with foundations to figure out how we secure the
ecosystem at a large, and wonders if Dustin sees a way for the
government to try and secure open source and not regulate it, but
try to figure how to manage it without the help of foundations or
package managers. [00:26:56] Dustin shares his opinion on the
difference between security and sustainability and what he thinks
about that and what he’s most excited about with work going on in
the next year or two. [00:30:28] Find out where you can follow
Dustin and his work on the web. Quotes [00:03:34] “After Log4j, the
government got really spooked because they really didn’t know what
software they were consuming, and President Biden did an executive
order on securing a nation’s cybersecurity, which was about setting
a policy for how the government should consume open source.”
[00:08:11] “We also do some other things to make that a little
easier for open source maintainers to adopt these technologies.”
[00:08:17] “One thing we have is a rewards program called SOS.dev,
and that’s a way that maintainers can get paid for doing what we
feel is relevant security work.” [00:21:01] “The US government
consumes a lot of open source software. They have a dependency on a
lot more than most large companies that you can think of.”
[00:21:11] “The answer to Log4j is not to stop using open source,
it’s to get better practices around determining what you have and
just do industry best practices for finding and fixing
vulnerabilities.” Spotlight [00:31:17] Justin’s spotlight is some
awesome software called Rewind.ai. [00:32:32] Richard’s spotlight
is Geoff Huntley. [00:33:36] Dustin’s spotlight is the Mozilla Open
Source Support Program. Links SustainOSS (https://sustainoss.org/)
SustainOSS Twitter
(https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
SustainOSS Discourse (https://discourse.sustainoss.org/)
podcast@sustainoss.org (mailto:podcast@sustainoss.org) Richard
Littauer Twitter
(https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Justin Dorfman Twitter
(https://twitter.com/jdorfman?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Dustin Ingram Twitter (https://twitter.com/di_codes) Dustin Ingram
LinkedIn
(https://www.linkedin.com/authwall?trk=gf&trkInfo=AQFx--arUWM32wAAAYVVP7pwcaKJmtv_xwAO_dyvHEdFxj0JMheal1V_PnvzCU1Fo_b5mai0jP51x2cucIULaN2C_6Hw_WNXexVVFtrbaamCLoGTNV3KU0oNc8E_cJD2AWGXUZA=&original_referer=https://www.google.com/&sessionRedirect=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fdustingram%2F)
Dustin Ingram Website (https://dustingram.com/) Open Source
Vulnerability (OSV) (https://osv.dev/) Sustain Podcast-Episode 93:
Dan Lorenc and OSS Supply Chain Security at Google
(https://podcast.sustainoss.org/guests/dan-lorenc) Sigstore
(https://www.sigstore.dev/) SOS Rewards (https://sos.dev/) Python
Package Index (PyPI) (https://pypi.org/) Sustain Podcast-Episode
75: Deb Nicholson on the OSI, the future of open source, and SeaGL
(https://podcast.sustainoss.org/75) Open Technology Fund
(https://www.opentech.fund/) Rewind (https://www.rewind.ai/) Geoff
Huntley Twitter (https://twitter.com/GeoffreyHuntley) Explaining
NFTs: Geoffrey Huntley interviewed by Coffeezilla about his NFT Bay
Heist (YouTube) (https://www.youtube.com/watch?v=iLDOSnqN9-I)
Mozilla Open Source Support Program
(https://www.mozilla.org/en-US/moss/) Credits Produced by Richard
Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at
Peachtree Sound (https://www.peachtreesound.com/) Show notes by
DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/)
Special Guest: Dustin Ingram.
Show Notes Hello and welcome to Sustain! The podcast where we talk
about sustaining open source for the long haul. Joining us today is
Dustin Ingram, who’s a Staff Software Engineer on Google’s Open
Source Security Team, where he works on improving the security of
open source software that Google and the rest of the world relies
on. He’s also the director of the Python Software Foundation and
maintainer of the Python Package Index. Today, we’ll learn about
the Open Source Security Team at Google, what they do, the bill
they’ve contributed to for Securing Open Source Software Act of
2022, a rewards program they have to pay maintainers called SOS
rewards, and Google’s role in the Sigstore project. Also, Dustin
talks about the Python Package Index, he shares his opinion on the
difference between security and sustainability, and what he’s most
excited about with work going on in the next year or two. Download
this episode now to find out more! [00:01:10] Dustin fills us in on
the Open Source Security Team at Google, what they do there, how
they prioritize which packages to work on, and which security bugs
to work on. [00:03:25] We hear about the team at Google working on
the bill 4913 Securing Open Source Software Act of 2022. [00:04:18]
Justin brings up Dan Lorenc and Sigstore, and we learn Google’s
role in this project and making sure it’s adopted more heavily in
the supply chain. [00:06:05] Dustin explains the model on how
Google is working to make sure these projects stick together, and
he tells us how an open source maintainer can make their code more
reliable by going to Sigstore and other sites to talk to people.
[00:09:26] How does Google prioritize and choose which projects are
the most important and where they’re going to dedicate developer
time to do that work? [00:11:02] Dustin works on the Python Package
Index, and he explains what it is, and with the PSF, how many
directors they have, and how much he interfaces with other people
there. [00:12:17] We hear how Dustin dealt with the fallout from
the backlash that happened during the mandatory multifactor
authentication for the critical projects. [00:16:52] When it comes
to security, Richard wonders if Dustin has put a lot of thought
into different grades of where it exists and who it’s for, as well
as if there’s a ten to fifty year plan for the maintainers who move
on to do other things and people are not going to be developing at
all. [00:19:13] Are there plans around educations for maintainers
and communities on how to onboard new maintainers and how to
increase security without increasing load time for the maintainers
working on their projects? [00:20:21] We hear what the Securing
Open Source Software Act is all about. [00:22:21] Now that open
source is the dominant distribution, Dustin shares his thoughts on
if open source will stop working and explains the real strength of
open source. [00:24:09] Richard brings up the US government trying
to secure their supply chain, working with future maintainers, code
packages, working with foundations to figure out how we secure the
ecosystem at a large, and wonders if Dustin sees a way for the
government to try and secure open source and not regulate it, but
try to figure how to manage it without the help of foundations or
package managers. [00:26:56] Dustin shares his opinion on the
difference between security and sustainability and what he thinks
about that and what he’s most excited about with work going on in
the next year or two. [00:30:28] Find out where you can follow
Dustin and his work on the web. Quotes [00:03:34] “After Log4j, the
government got really spooked because they really didn’t know what
software they were consuming, and President Biden did an executive
order on securing a nation’s cybersecurity, which was about setting
a policy for how the government should consume open source.”
[00:08:11] “We also do some other things to make that a little
easier for open source maintainers to adopt these technologies.”
[00:08:17] “One thing we have is a rewards program called SOS.dev,
and that’s a way that maintainers can get paid for doing what we
feel is relevant security work.” [00:21:01] “The US government
consumes a lot of open source software. They have a dependency on a
lot more than most large companies that you can think of.”
[00:21:11] “The answer to Log4j is not to stop using open source,
it’s to get better practices around determining what you have and
just do industry best practices for finding and fixing
vulnerabilities.” Spotlight [00:31:17] Justin’s spotlight is some
awesome software called Rewind.ai. [00:32:32] Richard’s spotlight
is Geoff Huntley. [00:33:36] Dustin’s spotlight is the Mozilla Open
Source Support Program. Links SustainOSS (https://sustainoss.org/)
SustainOSS Twitter
(https://twitter.com/SustainOSS?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
SustainOSS Discourse (https://discourse.sustainoss.org/)
podcast@sustainoss.org (mailto:podcast@sustainoss.org) Richard
Littauer Twitter
(https://twitter.com/richlitt?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Justin Dorfman Twitter
(https://twitter.com/jdorfman?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor)
Dustin Ingram Twitter (https://twitter.com/di_codes) Dustin Ingram
(https://www.linkedin.com/authwall?trk=gf&trkInfo=AQFx--arUWM32wAAAYVVP7pwcaKJmtv_xwAO_dyvHEdFxj0JMheal1V_PnvzCU1Fo_b5mai0jP51x2cucIULaN2C_6Hw_WNXexVVFtrbaamCLoGTNV3KU0oNc8E_cJD2AWGXUZA=&original_referer=https://www.google.com/&sessionRedirect=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fdustingram%2F)
Dustin Ingram Website (https://dustingram.com/) Open Source
Vulnerability (OSV) (https://osv.dev/) Sustain Podcast-Episode 93:
Dan Lorenc and OSS Supply Chain Security at Google
(https://podcast.sustainoss.org/guests/dan-lorenc) Sigstore
(https://www.sigstore.dev/) SOS Rewards (https://sos.dev/) Python
Package Index (PyPI) (https://pypi.org/) Sustain Podcast-Episode
75: Deb Nicholson on the OSI, the future of open source, and SeaGL
(https://podcast.sustainoss.org/75) Open Technology Fund
(https://www.opentech.fund/) Rewind (https://www.rewind.ai/) Geoff
Huntley Twitter (https://twitter.com/GeoffreyHuntley) Explaining
NFTs: Geoffrey Huntley interviewed by Coffeezilla about his NFT Bay
Heist (YouTube) (https://www.youtube.com/watch?v=iLDOSnqN9-I)
Mozilla Open Source Support Program
(https://www.mozilla.org/en-US/moss/) Credits Produced by Richard
Littauer (https://www.burntfen.com/) Edited by Paul M. Bahr at
Peachtree Sound (https://www.peachtreesound.com/) Show notes by
DeAnn Bahr Peachtree Sound (https://www.peachtreesound.com/)
Special Guest: Dustin Ingram.
Weitere Episoden
34 Minuten
vor 9 Monaten
46 Minuten
vor 9 Monaten
40 Minuten
vor 9 Monaten
38 Minuten
vor 10 Monaten
Kommentare (0)
Melde Dich an, um einen Kommentar zu schreiben.