One of the true superpowers of Python is the libraries over at the Python Package Index. They are all just a "pip install" away. Yet, like all code that you run on your system, it is done with some degree of trust. How do we know that all of those useful packages are trustworthy?
That's the topic of this episode. Bentz Tozer and John Speed Meyers are here to share their research into typosquatting on PyPI and other sneaky deeds. But we also discuss some potential solutions and fixes.
Bentz Tozer is a Vice President in In-Q-Tel’s Cyber Practice, where he identifies and works with startups with the potential for high impact on national security. In previous roles, he has performed security research and software development with a focus on IoT devices and embedded systems. He has a PhD in systems engineering from George Washington University. email@example.com
John Speed Meyers is an engineer in IQT Labs and a researcher who focuses on software security, especially open source software supply chain security. He holds a PhD in policy analysis from the Pardee RAND Graduate School. He’s ambivalent about computers. firstname.lastname@example.orgLinks from the show