1 00:00:00,480 --> 00:00:03,480 foreign 2 00:00:08,340 --> 00:00:12,799 but now 3 00:00:09,840 --> 00:00:15,360 we have Evan Bromley where we will be 4 00:00:12,799 --> 00:00:18,180 working out how to pick the right third 5 00:00:15,360 --> 00:00:19,240 party packages for your project let's 6 00:00:18,180 --> 00:00:23,620 make Evan feel welcome 7 00:00:19,240 --> 00:00:23,620 [Applause] 8 00:00:23,640 --> 00:00:29,039 all right awesome so good eight my name 9 00:00:27,180 --> 00:00:30,960 is Evan Brumley I'm the software 10 00:00:29,039 --> 00:00:32,640 engineering lead at WSB digital in 11 00:00:30,960 --> 00:00:33,780 Melbourne 12 00:00:32,640 --> 00:00:36,180 um and today I'm going to be talking 13 00:00:33,780 --> 00:00:39,660 about this little guy 14 00:00:36,180 --> 00:00:41,460 um so pip install like if you look at 15 00:00:39,660 --> 00:00:43,739 any Python tutorial or particularly 16 00:00:41,460 --> 00:00:46,320 Django tutorials the time to pip install 17 00:00:43,739 --> 00:00:47,700 can usually be measured in minutes it's 18 00:00:46,320 --> 00:00:49,820 one of the first things that we have 19 00:00:47,700 --> 00:00:53,940 beginner programmers do 20 00:00:49,820 --> 00:00:55,680 and it's not necessarily the safest 21 00:00:53,940 --> 00:00:57,300 thing 22 00:00:55,680 --> 00:01:00,059 um so today I'm going to be talking a 23 00:00:57,300 --> 00:01:01,320 little bit about packages and how to 24 00:01:00,059 --> 00:01:05,220 pick the right one 25 00:01:01,320 --> 00:01:08,460 so let's start with a little case study 26 00:01:05,220 --> 00:01:11,280 so it's February 9 2023 27 00:01:08,460 --> 00:01:16,380 my crypto wallet is empty my web3 28 00:01:11,280 --> 00:01:18,000 Enterprise is ruined my apes are gone 29 00:01:16,380 --> 00:01:19,860 can anyone take a look at my 30 00:01:18,000 --> 00:01:23,119 requirements.txt 31 00:01:19,860 --> 00:01:23,119 and tell me what's happened 32 00:01:30,360 --> 00:01:35,040 no Django rest framework is actually not 33 00:01:33,060 --> 00:01:37,020 supposed to have dashes 34 00:01:35,040 --> 00:01:38,820 um that will catch you out that's caught 35 00:01:37,020 --> 00:01:41,340 me out in the past but you're on the 36 00:01:38,820 --> 00:01:43,460 right track the actual one is Matt 37 00:01:41,340 --> 00:01:46,380 plutlib 38 00:01:43,460 --> 00:01:48,360 that should be matplotlib 39 00:01:46,380 --> 00:01:50,820 I've made a typo 40 00:01:48,360 --> 00:01:54,420 and that typo has cost me dearly because 41 00:01:50,820 --> 00:01:56,640 on February 9 2023 some Bad actors 42 00:01:54,420 --> 00:01:59,340 uploaded about 400 and something 43 00:01:56,640 --> 00:02:01,920 packages to pipe EI of common 44 00:01:59,340 --> 00:02:04,799 misspellings of packages 45 00:02:01,920 --> 00:02:06,960 and Matt plutlib was one of them 46 00:02:04,799 --> 00:02:08,459 um those packages tended to be revolving 47 00:02:06,960 --> 00:02:10,440 packages that were to do with the crypto 48 00:02:08,459 --> 00:02:13,620 Community or or packages that crypto 49 00:02:10,440 --> 00:02:16,140 people use and the costs of installing 50 00:02:13,620 --> 00:02:17,940 matplotlib for me was that a browser 51 00:02:16,140 --> 00:02:20,819 extension was downloaded and installed 52 00:02:17,940 --> 00:02:22,080 on my machine which quietly switched out 53 00:02:20,819 --> 00:02:24,540 crypto addresses on my computer 54 00:02:22,080 --> 00:02:26,819 clipboard so when I went to copy one 55 00:02:24,540 --> 00:02:28,020 cryptocurrency address it switched it 56 00:02:26,819 --> 00:02:31,140 with the attackers cryptocurrency 57 00:02:28,020 --> 00:02:33,060 address and I set my Apes to someone in 58 00:02:31,140 --> 00:02:34,680 North Korea 59 00:02:33,060 --> 00:02:35,940 um there is a really great write-up I'd 60 00:02:34,680 --> 00:02:37,739 suggest having having a look at that 61 00:02:35,940 --> 00:02:39,180 link um they go into quite a lot of 62 00:02:37,739 --> 00:02:40,560 detail about what happened 63 00:02:39,180 --> 00:02:42,480 um but the point I'm trying to make here 64 00:02:40,560 --> 00:02:44,220 is that packages 65 00:02:42,480 --> 00:02:45,840 um are not necessarily safe they have a 66 00:02:44,220 --> 00:02:49,220 lot of power they have the same power 67 00:02:45,840 --> 00:02:49,220 that your application has 68 00:02:49,560 --> 00:02:52,739 using other people's code is the 69 00:02:51,420 --> 00:02:54,959 riskiest thing you can do in software 70 00:02:52,739 --> 00:02:57,200 engineering short of writing your own 71 00:02:54,959 --> 00:02:57,200 code 72 00:02:58,140 --> 00:03:01,200 so 73 00:02:59,580 --> 00:03:02,400 this talk is about how we can manage 74 00:03:01,200 --> 00:03:04,440 that risk 75 00:03:02,400 --> 00:03:06,480 in this talk I'm going to be presenting 76 00:03:04,440 --> 00:03:08,519 a framework this is kind of the way I 77 00:03:06,480 --> 00:03:10,620 think about packages when I'm looking 78 00:03:08,519 --> 00:03:12,060 picking the ones to install 79 00:03:10,620 --> 00:03:14,040 I'm just going to start with talking a 80 00:03:12,060 --> 00:03:15,840 little bit about identifying your 81 00:03:14,040 --> 00:03:17,700 Project's risk profile which is 82 00:03:15,840 --> 00:03:19,319 basically determining your appetite for 83 00:03:17,700 --> 00:03:20,940 risk in packages 84 00:03:19,319 --> 00:03:22,680 I'm going to talk very briefly about 85 00:03:20,940 --> 00:03:25,560 architectural fits so how to pick the 86 00:03:22,680 --> 00:03:27,599 right packages for your project from a 87 00:03:25,560 --> 00:03:29,580 purely technical you know do they do 88 00:03:27,599 --> 00:03:31,739 what they should be doing perspective 89 00:03:29,580 --> 00:03:33,900 and then I'm going to talk about risk 90 00:03:31,739 --> 00:03:35,760 from a few angles so licensing risk 91 00:03:33,900 --> 00:03:38,159 security risk maintenance and quality 92 00:03:35,760 --> 00:03:39,900 risk and I'll go through those in detail 93 00:03:38,159 --> 00:03:41,940 I'm going to talk about finding 94 00:03:39,900 --> 00:03:44,400 Alternatives and then I'm going to talk 95 00:03:41,940 --> 00:03:46,200 about if you can't find Alternatives how 96 00:03:44,400 --> 00:03:47,940 do you mitigate the risks that packages 97 00:03:46,200 --> 00:03:52,260 present 98 00:03:47,940 --> 00:03:54,840 so let's start off with risk profiles 99 00:03:52,260 --> 00:03:57,180 so what is a risk profile I'm kind of 100 00:03:54,840 --> 00:03:58,799 defining it as a Frank assessment of the 101 00:03:57,180 --> 00:04:01,319 dangers that your app will face in the 102 00:03:58,799 --> 00:04:03,659 wild and the dangers that your app could 103 00:04:01,319 --> 00:04:06,000 pose to others this could be a formal 104 00:04:03,659 --> 00:04:07,260 document something that you put together 105 00:04:06,000 --> 00:04:08,760 um you know if you're working in a big 106 00:04:07,260 --> 00:04:10,500 project your project manager might be 107 00:04:08,760 --> 00:04:12,720 involved you write up a big PDF and 108 00:04:10,500 --> 00:04:13,799 present it to your stakeholders or if 109 00:04:12,720 --> 00:04:15,299 you're working on a personal project 110 00:04:13,799 --> 00:04:17,220 this could be a super informal thing it 111 00:04:15,299 --> 00:04:19,019 could be just a picture in your head and 112 00:04:17,220 --> 00:04:21,180 an understanding that you have 113 00:04:19,019 --> 00:04:23,100 the most important thing is that once 114 00:04:21,180 --> 00:04:25,020 you establish your risk profile you 115 00:04:23,100 --> 00:04:26,759 should be sharing it with everybody on 116 00:04:25,020 --> 00:04:30,000 your team everyone on your team needs to 117 00:04:26,759 --> 00:04:31,380 have a firm understanding of this 118 00:04:30,000 --> 00:04:34,380 so 119 00:04:31,380 --> 00:04:36,600 here's some kind of example examples of 120 00:04:34,380 --> 00:04:37,919 where projects can fit on a risk sort of 121 00:04:36,600 --> 00:04:39,840 Continuum these are just some sort of 122 00:04:37,919 --> 00:04:42,479 categories that I've dreamed up nothing 123 00:04:39,840 --> 00:04:44,759 official but just a starting point for 124 00:04:42,479 --> 00:04:46,800 how to think about risk so a low risk 125 00:04:44,759 --> 00:04:48,540 project might be uh you're a personal 126 00:04:46,800 --> 00:04:50,040 project some proof of concept code 127 00:04:48,540 --> 00:04:51,479 something that's not on the public 128 00:04:50,040 --> 00:04:52,860 internet 129 00:04:51,479 --> 00:04:54,960 um but something that has kind of a 130 00:04:52,860 --> 00:04:56,280 short lifespan 131 00:04:54,960 --> 00:04:58,460 um so something you're not going to be 132 00:04:56,280 --> 00:05:01,080 supporting super long term 133 00:04:58,460 --> 00:05:03,780 you'll then work up through medium to 134 00:05:01,080 --> 00:05:06,000 higher risk as your map moves on to the 135 00:05:03,780 --> 00:05:08,699 public internet or on a local corporate 136 00:05:06,000 --> 00:05:09,780 intranet as your the length of time that 137 00:05:08,699 --> 00:05:11,880 you're going to be supporting this app 138 00:05:09,780 --> 00:05:13,380 increases you're going to have to be 139 00:05:11,880 --> 00:05:14,940 starting to think more carefully about 140 00:05:13,380 --> 00:05:16,259 the app the packages that you 141 00:05:14,940 --> 00:05:17,460 incorporate into your app and the 142 00:05:16,259 --> 00:05:19,080 effects that they're going to have long 143 00:05:17,460 --> 00:05:21,000 term and on security 144 00:05:19,080 --> 00:05:22,800 Etc and you know we move all the way up 145 00:05:21,000 --> 00:05:24,539 into the extreme risk category let's say 146 00:05:22,800 --> 00:05:27,180 you're working on government projects or 147 00:05:24,539 --> 00:05:28,620 military projects if you have a high 148 00:05:27,180 --> 00:05:30,360 volume of sensitive or personal 149 00:05:28,620 --> 00:05:32,639 information particularly if you have 150 00:05:30,360 --> 00:05:34,320 vulnerable users 151 00:05:32,639 --> 00:05:36,419 um you know for whom if data got out 152 00:05:34,320 --> 00:05:39,120 then that would be a huge problem and 153 00:05:36,419 --> 00:05:40,620 cause you know significant issue or if 154 00:05:39,120 --> 00:05:42,479 there's a high likelihood a targeted 155 00:05:40,620 --> 00:05:44,759 attack if you're if your app is likely 156 00:05:42,479 --> 00:05:47,100 to be targeted by you know Bad actors 157 00:05:44,759 --> 00:05:49,199 you know specifically looking directly 158 00:05:47,100 --> 00:05:51,000 at your address at your app and trying 159 00:05:49,199 --> 00:05:52,560 to break it then you kind of fall into 160 00:05:51,000 --> 00:05:55,199 that extreme risk category and you 161 00:05:52,560 --> 00:05:57,120 should be you're being extraordinarily 162 00:05:55,199 --> 00:05:59,520 careful with any application code you're 163 00:05:57,120 --> 00:06:01,620 doing full review 164 00:05:59,520 --> 00:06:04,500 um so 165 00:06:01,620 --> 00:06:06,900 why do you need one of these these risk 166 00:06:04,500 --> 00:06:08,340 profile forms up the basis unusual way 167 00:06:06,900 --> 00:06:10,500 up all of your risk related decisions 168 00:06:08,340 --> 00:06:12,419 for your project 169 00:06:10,500 --> 00:06:14,039 it's important to communicate this 170 00:06:12,419 --> 00:06:16,979 carefully with all of your team because 171 00:06:14,039 --> 00:06:18,900 risks may not be immediately clear to 172 00:06:16,979 --> 00:06:20,460 everyone on your team especially in a 173 00:06:18,900 --> 00:06:22,800 standard project you'll have junior team 174 00:06:20,460 --> 00:06:25,319 members senior team members you know 175 00:06:22,800 --> 00:06:28,380 people come from different experiences 176 00:06:25,319 --> 00:06:30,360 um so it's really important that all of 177 00:06:28,380 --> 00:06:33,060 those risks are fully understood by 178 00:06:30,360 --> 00:06:35,039 absolutely everyone because they may not 179 00:06:33,060 --> 00:06:38,340 be obvious 180 00:06:35,039 --> 00:06:40,560 um final Point here teams can sometimes 181 00:06:38,340 --> 00:06:42,419 Sleepwalk into high-risk situations with 182 00:06:40,560 --> 00:06:43,919 their applications when you're picking 183 00:06:42,419 --> 00:06:45,840 your packages you'll pick ninety percent 184 00:06:43,919 --> 00:06:47,720 of your packages in the first week of a 185 00:06:45,840 --> 00:06:50,280 Project's lifespan 186 00:06:47,720 --> 00:06:53,220 and if you haven't already thought about 187 00:06:50,280 --> 00:06:55,919 your risk profile then you may find that 188 00:06:53,220 --> 00:06:57,960 it's too late and projects can sometimes 189 00:06:55,919 --> 00:07:00,900 also move from low to high risk over 190 00:06:57,960 --> 00:07:03,720 their lifetime so continually revisit 191 00:07:00,900 --> 00:07:05,280 your risk profile 192 00:07:03,720 --> 00:07:06,319 so I'm not going to talk a little bit 193 00:07:05,280 --> 00:07:08,100 about 194 00:07:06,319 --> 00:07:09,780 architectural fit and I'm not going to 195 00:07:08,100 --> 00:07:13,380 go into huge detail here because this is 196 00:07:09,780 --> 00:07:15,960 basically sort of you know it's a skill 197 00:07:13,380 --> 00:07:17,460 that you'll build up over time and 198 00:07:15,960 --> 00:07:19,139 there's an awful lot to take in but I'm 199 00:07:17,460 --> 00:07:21,660 just going to give you a few sort of 200 00:07:19,139 --> 00:07:24,000 questions to think about 201 00:07:21,660 --> 00:07:25,560 the first question most important one 202 00:07:24,000 --> 00:07:27,180 from my perspective is do you really 203 00:07:25,560 --> 00:07:28,380 need it 204 00:07:27,180 --> 00:07:30,419 um 205 00:07:28,380 --> 00:07:32,220 people have this view of building Django 206 00:07:30,419 --> 00:07:34,080 applications as kind of constructing 207 00:07:32,220 --> 00:07:35,880 applications out of Lego you know you 208 00:07:34,080 --> 00:07:38,180 look at the Django wait Django apps are 209 00:07:35,880 --> 00:07:40,800 Django bomb projects are 210 00:07:38,180 --> 00:07:43,020 performed and they're sort of where it's 211 00:07:40,800 --> 00:07:46,500 apps you have apps and you have you want 212 00:07:43,020 --> 00:07:48,000 to do like if I want um your to-do's and 213 00:07:46,500 --> 00:07:49,500 I'll install a to-do app I'll go out and 214 00:07:48,000 --> 00:07:52,800 find a to-do app on the internet in a 215 00:07:49,500 --> 00:07:54,479 package but a package is not always the 216 00:07:52,800 --> 00:07:56,520 right fit 217 00:07:54,479 --> 00:07:58,139 um so it might be a trivial bit of 218 00:07:56,520 --> 00:08:00,000 functionality that you could do in a few 219 00:07:58,139 --> 00:08:03,599 lines of code it might be something that 220 00:08:00,000 --> 00:08:05,099 isn't really architectural best practice 221 00:08:03,599 --> 00:08:06,900 um you know there's an awful lot of you 222 00:08:05,099 --> 00:08:08,639 know Django Dash something Dash 223 00:08:06,900 --> 00:08:10,380 something something packages out there 224 00:08:08,639 --> 00:08:12,180 that are combining things in weird and 225 00:08:10,380 --> 00:08:14,099 wonderful ways 226 00:08:12,180 --> 00:08:15,840 um and you know maybe you should think 227 00:08:14,099 --> 00:08:17,759 about looking at it holistically looking 228 00:08:15,840 --> 00:08:19,979 at Best Practices and and you know doing 229 00:08:17,759 --> 00:08:22,620 your research and more research and just 230 00:08:19,979 --> 00:08:25,080 Googling for a package 231 00:08:22,620 --> 00:08:27,300 next look at where you'll be using this 232 00:08:25,080 --> 00:08:29,580 package correctly are you using this 233 00:08:27,300 --> 00:08:32,339 package as the authors were intending it 234 00:08:29,580 --> 00:08:34,620 to use if you use a package in a unique 235 00:08:32,339 --> 00:08:36,659 and unexpected way do not be surprised 236 00:08:34,620 --> 00:08:39,560 if a minor update breaks it in a unique 237 00:08:36,659 --> 00:08:39,560 and unexpected way 238 00:08:39,659 --> 00:08:44,159 um number one rule of programming don't 239 00:08:41,820 --> 00:08:47,640 get clever 240 00:08:44,159 --> 00:08:49,260 um so make sure that you're using it as 241 00:08:47,640 --> 00:08:51,420 intended that you're not hacking it 242 00:08:49,260 --> 00:08:52,800 together and if you do have to hack 243 00:08:51,420 --> 00:08:54,959 something together for whatever reason 244 00:08:52,800 --> 00:08:56,880 document it incredibly carefully and 245 00:08:54,959 --> 00:08:58,080 make sure that that is you're known to 246 00:08:56,880 --> 00:09:00,060 everyone on the project that you've 247 00:08:58,080 --> 00:09:02,040 accepted that risk 248 00:09:00,060 --> 00:09:03,660 lastly have a look at how will it affect 249 00:09:02,040 --> 00:09:05,519 your code base 250 00:09:03,660 --> 00:09:06,839 um you know many packages have very 251 00:09:05,519 --> 00:09:07,980 strong opinions over how you should 252 00:09:06,839 --> 00:09:09,720 integrate them how you should code 253 00:09:07,980 --> 00:09:11,760 around them in some cases that's a 254 00:09:09,720 --> 00:09:13,320 really good thing think Django Django is 255 00:09:11,760 --> 00:09:14,940 a framework it guides you to the best 256 00:09:13,320 --> 00:09:17,339 practices 257 00:09:14,940 --> 00:09:18,839 um but you know some applica some 258 00:09:17,339 --> 00:09:21,300 packages will guide you in different 259 00:09:18,839 --> 00:09:23,100 competing directions so take a holistic 260 00:09:21,300 --> 00:09:24,300 view of your application look at all the 261 00:09:23,100 --> 00:09:26,459 other packages that you have installed 262 00:09:24,300 --> 00:09:28,440 and how your bet what your team's best 263 00:09:26,459 --> 00:09:30,180 practices are and make sure that the 264 00:09:28,440 --> 00:09:32,040 package is actually going to be 265 00:09:30,180 --> 00:09:34,260 enforcing the right patterns for your 266 00:09:32,040 --> 00:09:36,240 project 267 00:09:34,260 --> 00:09:38,940 good dependencies tend to solve 268 00:09:36,240 --> 00:09:40,519 difficult problems like cryptography or 269 00:09:38,940 --> 00:09:42,899 web Frameworks 270 00:09:40,519 --> 00:09:44,420 they tend to have clear and ring fence 271 00:09:42,899 --> 00:09:46,860 responsibilities 272 00:09:44,420 --> 00:09:48,060 as I mentioned they do the job they were 273 00:09:46,860 --> 00:09:50,100 specifically designed to do in your 274 00:09:48,060 --> 00:09:52,440 application and most importantly they 275 00:09:50,100 --> 00:09:57,080 leave your application room to grow so 276 00:09:52,440 --> 00:09:59,160 they open doors rather than close doors 277 00:09:57,080 --> 00:10:00,600 as I mentioned this is a core 278 00:09:59,160 --> 00:10:04,620 architectural skill that comes with 279 00:10:00,600 --> 00:10:07,019 experience so do deep research look 280 00:10:04,620 --> 00:10:08,899 Beyond just Googling for packages expect 281 00:10:07,019 --> 00:10:12,060 to make mistakes 282 00:10:08,899 --> 00:10:13,500 every single application developer will 283 00:10:12,060 --> 00:10:15,839 have that one thing that they installed 284 00:10:13,500 --> 00:10:18,300 that they really wish they hadn't 285 00:10:15,839 --> 00:10:19,740 um and ask for help because this is a 286 00:10:18,300 --> 00:10:21,660 skill that's gained over experience you 287 00:10:19,740 --> 00:10:23,339 know reach out to your fellow developers 288 00:10:21,660 --> 00:10:24,839 come to conferences like this talk to 289 00:10:23,339 --> 00:10:27,720 people ask people how they solve 290 00:10:24,839 --> 00:10:30,420 particular problems and really rely on 291 00:10:27,720 --> 00:10:32,339 the um on the experience of others to 292 00:10:30,420 --> 00:10:36,180 learn 293 00:10:32,339 --> 00:10:38,580 okay so now moving on to analyzing the 294 00:10:36,180 --> 00:10:40,560 actual risk from a package I'm going to 295 00:10:38,580 --> 00:10:42,959 look at sort of four types of risk 296 00:10:40,560 --> 00:10:44,459 licensing risk security risk maintenance 297 00:10:42,959 --> 00:10:45,899 and quality risk and I'm going to look 298 00:10:44,459 --> 00:10:48,120 at these ones in turn and how to 299 00:10:45,899 --> 00:10:50,279 identify these risks and how to sort of 300 00:10:48,120 --> 00:10:51,779 how to gauge the levels of risk on 301 00:10:50,279 --> 00:10:53,279 particular packages 302 00:10:51,779 --> 00:10:55,079 so I'm going to start with another case 303 00:10:53,279 --> 00:10:57,000 study 304 00:10:55,079 --> 00:10:59,640 so I've just launched my startup with 30 305 00:10:57,000 --> 00:11:02,160 million in dollars in seed funding my 306 00:10:59,640 --> 00:11:04,079 app is really really cool it connects to 307 00:11:02,160 --> 00:11:06,240 your git repo and runs a bunch of sort 308 00:11:04,079 --> 00:11:07,680 of common linting rules and then 309 00:11:06,240 --> 00:11:10,620 automatically generate some code review 310 00:11:07,680 --> 00:11:12,899 comments uh I built the entire thing off 311 00:11:10,620 --> 00:11:14,700 open source code I didn't have to write 312 00:11:12,899 --> 00:11:17,220 any LinkedIn code myself it's great I've 313 00:11:14,700 --> 00:11:19,860 relied on the open source uh Community 314 00:11:17,220 --> 00:11:21,600 to do most of that work for me 315 00:11:19,860 --> 00:11:23,820 um however my primary investor has just 316 00:11:21,600 --> 00:11:25,860 left me an very angry voicemail and says 317 00:11:23,820 --> 00:11:27,420 that I have to meet with the lawyers uh 318 00:11:25,860 --> 00:11:29,940 first thing on Monday 319 00:11:27,420 --> 00:11:33,260 can anyone spot from my requirements.txt 320 00:11:29,940 --> 00:11:33,260 the mistake I've made 321 00:11:42,320 --> 00:11:48,180 so what I've actually done 322 00:11:46,620 --> 00:11:51,560 you may not have realized this but 323 00:11:48,180 --> 00:11:51,560 pilint is GPL code 324 00:11:51,620 --> 00:11:56,160 you cannot use pilint you cannot 325 00:11:54,360 --> 00:11:57,600 incorporate Pilots code into your 326 00:11:56,160 --> 00:11:59,660 project in a functional way you can use 327 00:11:57,600 --> 00:12:02,279 it as a tool to analyze your code base 328 00:11:59,660 --> 00:12:05,220 but if you try and build a product off 329 00:12:02,279 --> 00:12:08,100 it then by by having it licensed onto 330 00:12:05,220 --> 00:12:09,720 GPL you have now essentially committed 331 00:12:08,100 --> 00:12:12,200 to open sourcing your entire product 332 00:12:09,720 --> 00:12:14,760 under the same license 333 00:12:12,200 --> 00:12:17,760 so I need to immediately stop using that 334 00:12:14,760 --> 00:12:19,440 package or open source my app 335 00:12:17,760 --> 00:12:22,019 and this is sort of leading into 336 00:12:19,440 --> 00:12:23,940 licensing risk so licensing risk is the 337 00:12:22,019 --> 00:12:24,680 risk of using Code that is not yours to 338 00:12:23,940 --> 00:12:27,120 use 339 00:12:24,680 --> 00:12:30,200 and also the risk of accidentally open 340 00:12:27,120 --> 00:12:30,200 sourcing your entire project 341 00:12:31,200 --> 00:12:35,820 um there is really like this is an easy 342 00:12:33,300 --> 00:12:37,260 one to check always check the license 343 00:12:35,820 --> 00:12:38,820 um there are some licenses that you can 344 00:12:37,260 --> 00:12:40,079 probably use 345 00:12:38,820 --> 00:12:42,600 um these are known as permissive open 346 00:12:40,079 --> 00:12:46,680 source licenses they include MIT Apache 347 00:12:42,600 --> 00:12:49,139 ISC BSD Clauses bsdn3 and two Clause 348 00:12:46,680 --> 00:12:51,180 um these licenses give you a lot of 349 00:12:49,139 --> 00:12:52,380 freedom to use that app that code in any 350 00:12:51,180 --> 00:12:54,720 way you want you can effectively use it 351 00:12:52,380 --> 00:12:55,800 for commercial purposes 352 00:12:54,720 --> 00:12:57,899 um you know for personal projects 353 00:12:55,800 --> 00:12:59,519 anything you like there's no warranties 354 00:12:57,899 --> 00:13:01,860 provided 355 00:12:59,519 --> 00:13:03,899 um but you know you can use it and you 356 00:13:01,860 --> 00:13:06,000 can build commercial applications off it 357 00:13:03,899 --> 00:13:08,760 there are some licenses that you almost 358 00:13:06,000 --> 00:13:13,920 certainly can't use those include the 359 00:13:08,760 --> 00:13:15,300 GPL licenses GPL V2 V3 agpl lgpl these 360 00:13:13,920 --> 00:13:19,260 are kind of known as share alike 361 00:13:15,300 --> 00:13:21,180 licenses or viral licenses and you have 362 00:13:19,260 --> 00:13:23,519 certain obligations under those licenses 363 00:13:21,180 --> 00:13:25,500 if you use that code and for those 364 00:13:23,519 --> 00:13:27,839 licenses usually that you release the 365 00:13:25,500 --> 00:13:30,300 code under the same license 366 00:13:27,839 --> 00:13:32,459 the Creative Commons licenses can be 367 00:13:30,300 --> 00:13:34,139 permissive but you have to look at the 368 00:13:32,459 --> 00:13:36,480 detail every Creative Commons license 369 00:13:34,139 --> 00:13:38,940 will have a certain list of suffixes 370 00:13:36,480 --> 00:13:40,260 after it some of those are permissive 371 00:13:38,940 --> 00:13:41,940 and some of them are not the ones that 372 00:13:40,260 --> 00:13:43,920 I've listed there uh create a common 373 00:13:41,940 --> 00:13:46,320 share alike is has the same issues as 374 00:13:43,920 --> 00:13:49,440 those GPL licenses 375 00:13:46,320 --> 00:13:50,940 um ccnc means non-commercial you can use 376 00:13:49,440 --> 00:13:52,620 that code but only for non-commercial 377 00:13:50,940 --> 00:13:55,320 purposes 378 00:13:52,620 --> 00:13:56,760 um and ccnd means no distribution which 379 00:13:55,320 --> 00:13:58,380 means that you can look at that code 380 00:13:56,760 --> 00:14:00,300 they've released it so that people can 381 00:13:58,380 --> 00:14:02,399 see how things work um but you are not 382 00:14:00,300 --> 00:14:04,740 allowed to use that in any way 383 00:14:02,399 --> 00:14:07,139 finally if there is no license provided 384 00:14:04,740 --> 00:14:09,360 on a project you can usually see this by 385 00:14:07,139 --> 00:14:12,959 looking for a license file 386 00:14:09,360 --> 00:14:14,579 in the repository if that license if 387 00:14:12,959 --> 00:14:17,100 there is no license file you cannot use 388 00:14:14,579 --> 00:14:19,860 that code that is considered All Rights 389 00:14:17,100 --> 00:14:21,839 Reserved there's a link to a GitHub 390 00:14:19,860 --> 00:14:23,760 readme there which I highly recommend 391 00:14:21,839 --> 00:14:25,920 for having So reading up on open source 392 00:14:23,760 --> 00:14:28,440 licenses 393 00:14:25,920 --> 00:14:31,260 so next and this goes back to that first 394 00:14:28,440 --> 00:14:34,980 case study I presented the security risk 395 00:14:31,260 --> 00:14:37,019 so this is primarily the risk of 396 00:14:34,980 --> 00:14:40,019 security vulnerabilities it's the risk 397 00:14:37,019 --> 00:14:41,600 that an app will contain code that while 398 00:14:40,019 --> 00:14:43,860 not malicious 399 00:14:41,600 --> 00:14:45,720 does contain some vulnerabilities that 400 00:14:43,860 --> 00:14:48,240 could open up your up your project to 401 00:14:45,720 --> 00:14:50,579 attack it also includes the risk gold 402 00:14:48,240 --> 00:14:52,040 packages that are in fact malicious like 403 00:14:50,579 --> 00:14:54,899 matplib 404 00:14:52,040 --> 00:14:58,139 and the risk of previously benign 405 00:14:54,899 --> 00:15:00,480 packages becoming malicious due to a 406 00:14:58,139 --> 00:15:03,600 change over or someone taking over that 407 00:15:00,480 --> 00:15:06,120 project and inserting malicious code 408 00:15:03,600 --> 00:15:07,680 so what are some positive indicators 409 00:15:06,120 --> 00:15:09,839 what are some things to look for to 410 00:15:07,680 --> 00:15:11,760 indicate that that security risks are 411 00:15:09,839 --> 00:15:14,160 being mitigated on a project on an 412 00:15:11,760 --> 00:15:15,320 application so 413 00:15:14,160 --> 00:15:18,060 um 414 00:15:15,320 --> 00:15:19,260 first point regular activity and this is 415 00:15:18,060 --> 00:15:21,060 going to be you're going to see this one 416 00:15:19,260 --> 00:15:22,139 across all types of risk as a grid 417 00:15:21,060 --> 00:15:23,579 indicator 418 00:15:22,139 --> 00:15:25,440 you want to make sure that people are 419 00:15:23,579 --> 00:15:28,740 actually regularly committing code to 420 00:15:25,440 --> 00:15:30,060 that um to that package look at the 421 00:15:28,740 --> 00:15:32,399 commit history look at the release 422 00:15:30,060 --> 00:15:33,899 history it's actually very important to 423 00:15:32,399 --> 00:15:35,880 look at the release history as well as 424 00:15:33,899 --> 00:15:37,199 the commit history because if they are 425 00:15:35,880 --> 00:15:38,639 committing every day but they haven't 426 00:15:37,199 --> 00:15:40,620 had a release in three years that 427 00:15:38,639 --> 00:15:42,899 doesn't really help you very much 428 00:15:40,620 --> 00:15:44,820 but a package that's being actively 429 00:15:42,899 --> 00:15:46,440 worked on is less likely to have 430 00:15:44,820 --> 00:15:49,220 security vulnerabilities because people 431 00:15:46,440 --> 00:15:52,320 are actually looking at the code 432 00:15:49,220 --> 00:15:54,180 similarly High popularity which you can 433 00:15:52,320 --> 00:15:57,420 look at by GitHub Stars although they 434 00:15:54,180 --> 00:15:59,160 can be misleading and pipei downloads 435 00:15:57,420 --> 00:16:01,920 look and see how many other people are 436 00:15:59,160 --> 00:16:04,680 using this package there is some level 437 00:16:01,920 --> 00:16:07,740 of safety in numbers it's not absolute 438 00:16:04,680 --> 00:16:09,180 safety but it's a good start 439 00:16:07,740 --> 00:16:11,639 um because you know other people might 440 00:16:09,180 --> 00:16:13,560 you know be attacked first 441 00:16:11,639 --> 00:16:15,300 um or um you know there might be more 442 00:16:13,560 --> 00:16:17,579 people more scrutiny on a package it's 443 00:16:15,300 --> 00:16:19,500 very commonly used 444 00:16:17,579 --> 00:16:21,480 um active community and this is kind of 445 00:16:19,500 --> 00:16:24,240 separate to activity but active 446 00:16:21,480 --> 00:16:25,860 community means is there a good set of 447 00:16:24,240 --> 00:16:27,779 contributors who are who are looking 448 00:16:25,860 --> 00:16:29,220 into a project is it not just like one 449 00:16:27,779 --> 00:16:31,019 guy 450 00:16:29,220 --> 00:16:33,420 um you know do they have a sort of a 451 00:16:31,019 --> 00:16:35,399 diverse set of people of eyes looking at 452 00:16:33,420 --> 00:16:37,920 this project to spot things that one 453 00:16:35,399 --> 00:16:40,079 person could miss 454 00:16:37,920 --> 00:16:42,600 some more specific security related 455 00:16:40,079 --> 00:16:44,459 things do they have a rapid response to 456 00:16:42,600 --> 00:16:46,199 vulnerabilities if people report things 457 00:16:44,459 --> 00:16:48,060 on their GitHub issues or if it's a 458 00:16:46,199 --> 00:16:50,399 bigger project do they have cves raised 459 00:16:48,060 --> 00:16:53,899 against them how rapidly does that team 460 00:16:50,399 --> 00:16:53,899 respond to those vulnerabilities 461 00:16:55,220 --> 00:16:59,940 look for a responsible disclosure policy 462 00:16:58,019 --> 00:17:01,560 so this is a policy that's usually 463 00:16:59,940 --> 00:17:03,360 advertised on a project home page or on 464 00:17:01,560 --> 00:17:05,220 a GitHub repo basically giving 465 00:17:03,360 --> 00:17:08,220 instructions for how to report 466 00:17:05,220 --> 00:17:10,020 particular vulnerabilities 467 00:17:08,220 --> 00:17:12,120 um without putting them onto a public 468 00:17:10,020 --> 00:17:13,140 issue tracker so that bad actors can see 469 00:17:12,120 --> 00:17:15,179 them 470 00:17:13,140 --> 00:17:16,620 and lastly and these are pretty rare on 471 00:17:15,179 --> 00:17:18,299 open source projects but great if they 472 00:17:16,620 --> 00:17:20,880 have them but third-party assessments 473 00:17:18,299 --> 00:17:22,559 and penetration tests are awesome you 474 00:17:20,880 --> 00:17:24,179 know some bigger projects will will have 475 00:17:22,559 --> 00:17:26,220 them they'll go out to third parties and 476 00:17:24,179 --> 00:17:27,780 and um and say can you take a look at 477 00:17:26,220 --> 00:17:29,820 this code look in detail of this code 478 00:17:27,780 --> 00:17:31,799 and see if you can spot anything 479 00:17:29,820 --> 00:17:33,660 and they'll usually advertise those on 480 00:17:31,799 --> 00:17:35,640 the project home page 481 00:17:33,660 --> 00:17:39,000 some negative indicators so some things 482 00:17:35,640 --> 00:17:40,380 that not necessarily like um like deal 483 00:17:39,000 --> 00:17:42,720 breakers 484 00:17:40,380 --> 00:17:45,299 um but things that you that can raise 485 00:17:42,720 --> 00:17:47,220 the risk on of security risks 486 00:17:45,299 --> 00:17:49,740 um if a package is doing higher risk 487 00:17:47,220 --> 00:17:52,860 activities so examples here like Payment 488 00:17:49,740 --> 00:17:54,980 Processing authentication cryptography 489 00:17:52,860 --> 00:17:57,299 anything to do with cryptocurrencies 490 00:17:54,980 --> 00:18:00,900 those that means that that package is 491 00:17:57,299 --> 00:18:03,360 more likely to be targeted in an attack 492 00:18:00,900 --> 00:18:04,620 um so any vulnerabilities in in there 493 00:18:03,360 --> 00:18:08,400 are more likely to be found and 494 00:18:04,620 --> 00:18:09,960 exploited so do a careful review 495 00:18:08,400 --> 00:18:12,600 um you know consider how the package 496 00:18:09,960 --> 00:18:13,860 does what it does some high-risk 497 00:18:12,600 --> 00:18:15,600 activities can be hidden in the 498 00:18:13,860 --> 00:18:18,419 background 499 00:18:15,600 --> 00:18:20,700 um so really do a deep dive on to like 500 00:18:18,419 --> 00:18:23,039 what you know just think hard about what 501 00:18:20,700 --> 00:18:24,480 those packages are actually doing and 502 00:18:23,039 --> 00:18:27,059 whether there is anything there that's 503 00:18:24,480 --> 00:18:30,960 likely to be dangerous 504 00:18:27,059 --> 00:18:32,700 um Logitech surfaces so these are apps 505 00:18:30,960 --> 00:18:34,919 that are doing inherently risky things 506 00:18:32,700 --> 00:18:35,600 in terms of 507 00:18:34,919 --> 00:18:37,740 um 508 00:18:35,600 --> 00:18:40,440 like public like calling system 509 00:18:37,740 --> 00:18:42,600 functions or for instance Django is a 510 00:18:40,440 --> 00:18:43,919 great example of a package with a larger 511 00:18:42,600 --> 00:18:46,140 tax surface 512 00:18:43,919 --> 00:18:47,700 um you know it has web processing all 513 00:18:46,140 --> 00:18:49,799 the stuff that we've seen handling we're 514 00:18:47,700 --> 00:18:52,919 handling HTTP requests 515 00:18:49,799 --> 00:18:54,660 um cookies authentication cryptography 516 00:18:52,919 --> 00:18:56,160 um all of these things are avenues that 517 00:18:54,660 --> 00:18:57,080 the Bad actors would really like to 518 00:18:56,160 --> 00:18:59,580 Target 519 00:18:57,080 --> 00:19:01,679 so you expect a higher level of 520 00:18:59,580 --> 00:19:03,720 governance and and security and testing 521 00:19:01,679 --> 00:19:06,179 on projects that have those sorts of 522 00:19:03,720 --> 00:19:08,700 attack surfaces 523 00:19:06,179 --> 00:19:09,960 so moving on to maintenance risks these 524 00:19:08,700 --> 00:19:12,179 are this is the risk that a package will 525 00:19:09,960 --> 00:19:14,520 degrade over time that it won't be 526 00:19:12,179 --> 00:19:15,960 maintained that'll be difficult to bring 527 00:19:14,520 --> 00:19:17,960 in-house if it does fall out of 528 00:19:15,960 --> 00:19:20,400 maintenance 529 00:19:17,960 --> 00:19:21,780 activity popularity and Community are 530 00:19:20,400 --> 00:19:23,039 really important points here I'm not 531 00:19:21,780 --> 00:19:26,820 going to go over them again but 532 00:19:23,039 --> 00:19:29,340 basically if a um if a package is really 533 00:19:26,820 --> 00:19:31,260 is actively maintained and popular and 534 00:19:29,340 --> 00:19:33,059 has a great Community then there is far 535 00:19:31,260 --> 00:19:35,100 less risk that it will not be maintained 536 00:19:33,059 --> 00:19:37,080 in the long term 537 00:19:35,100 --> 00:19:40,679 um some more specific things backing by 538 00:19:37,080 --> 00:19:42,120 organizations if it has funding or there 539 00:19:40,679 --> 00:19:43,980 are a lot of big organizations that are 540 00:19:42,120 --> 00:19:45,360 using that it's a really good sign if 541 00:19:43,980 --> 00:19:46,919 they have financial support which is 542 00:19:45,360 --> 00:19:48,000 sadly very rare in the open source 543 00:19:46,919 --> 00:19:49,500 Community but if there is financial 544 00:19:48,000 --> 00:19:52,679 support then it means that the 545 00:19:49,500 --> 00:19:55,080 development is likely more sustainable 546 00:19:52,679 --> 00:19:57,299 um also if an app has sort of a package 547 00:19:55,080 --> 00:19:58,980 has evergreen functionality which is 548 00:19:57,299 --> 00:20:00,240 sort of you know very self-contained 549 00:19:58,980 --> 00:20:02,100 functioning functionality that's 550 00:20:00,240 --> 00:20:05,640 unlikely to change over time examples 551 00:20:02,100 --> 00:20:08,160 being sort of algorithm implementations 552 00:20:05,640 --> 00:20:10,200 um or if it's processing uh um if it's 553 00:20:08,160 --> 00:20:12,000 passing a protocol it hasn't changed 554 00:20:10,200 --> 00:20:13,679 since the 1980s then if it hasn't been 555 00:20:12,000 --> 00:20:15,320 updated in a few years then look it's 556 00:20:13,679 --> 00:20:17,880 probably fine 557 00:20:15,320 --> 00:20:20,340 and some negative indicators there if 558 00:20:17,880 --> 00:20:21,960 it's only backed by one organization and 559 00:20:20,340 --> 00:20:23,880 completely owned by one organization 560 00:20:21,960 --> 00:20:25,559 then you should be looking carefully at 561 00:20:23,880 --> 00:20:28,020 that organization's track record for 562 00:20:25,559 --> 00:20:29,460 maintaining things it's not a guarantee 563 00:20:28,020 --> 00:20:32,280 if it's open source now it's not a 564 00:20:29,460 --> 00:20:34,620 guarantee it will always be open source 565 00:20:32,280 --> 00:20:36,740 um so you know be very careful if you're 566 00:20:34,620 --> 00:20:40,260 sort of using your 567 00:20:36,740 --> 00:20:42,840 ex-organizations I'm I shouldn't say x 568 00:20:40,260 --> 00:20:45,059 um why organizations 569 00:20:42,840 --> 00:20:46,500 um uh you know package because there's 570 00:20:45,059 --> 00:20:48,240 no guarantee it'll be supported tomorrow 571 00:20:46,500 --> 00:20:49,980 because you know organizations are 572 00:20:48,240 --> 00:20:52,380 fickle 573 00:20:49,980 --> 00:20:55,320 um also look for packages with a really 574 00:20:52,380 --> 00:20:57,240 high support burden if it's very complex 575 00:20:55,320 --> 00:20:59,460 functionality rapidly changing subject 576 00:20:57,240 --> 00:21:01,740 matter if they're depending on external 577 00:20:59,460 --> 00:21:03,419 apis that change rapidly then the burden 578 00:21:01,740 --> 00:21:06,120 on those on the developers of that 579 00:21:03,419 --> 00:21:07,559 package is likely to be higher 580 00:21:06,120 --> 00:21:09,000 um so 581 00:21:07,559 --> 00:21:10,380 um you know there is a greater chance 582 00:21:09,000 --> 00:21:13,260 that they might burn out if they don't 583 00:21:10,380 --> 00:21:15,179 have the necessary supports in place 584 00:21:13,260 --> 00:21:16,440 so finally this is kind of the trickiest 585 00:21:15,179 --> 00:21:18,600 one 586 00:21:16,440 --> 00:21:19,980 but quality risks 587 00:21:18,600 --> 00:21:22,799 um risks that the package won't perform 588 00:21:19,980 --> 00:21:24,840 as advertised it will be buggy might be 589 00:21:22,799 --> 00:21:27,720 difficult to work with or it'll force 590 00:21:24,840 --> 00:21:29,220 you into bad practices in your code 591 00:21:27,720 --> 00:21:32,059 um 592 00:21:29,220 --> 00:21:35,460 again activity popularity Community 593 00:21:32,059 --> 00:21:37,559 really good signs but look for project 594 00:21:35,460 --> 00:21:39,600 governance if you can't actually dig 595 00:21:37,559 --> 00:21:41,460 deep into the code because you don't 596 00:21:39,600 --> 00:21:43,919 have that sort of level of experience of 597 00:21:41,460 --> 00:21:46,679 looking through python code look for the 598 00:21:43,919 --> 00:21:48,179 governance processes so look for you 599 00:21:46,679 --> 00:21:50,340 know do they have sort of detailed 600 00:21:48,179 --> 00:21:52,380 release notes do they have really good 601 00:21:50,340 --> 00:21:54,840 solid documentation that's easy to read 602 00:21:52,380 --> 00:21:56,460 do they have formal deprecation policies 603 00:21:54,840 --> 00:21:58,380 like look into Django's deprecation 604 00:21:56,460 --> 00:21:59,820 policy for a really fantastic example of 605 00:21:58,380 --> 00:22:01,400 how that should be done in a project 606 00:21:59,820 --> 00:22:04,740 with great governance 607 00:22:01,400 --> 00:22:06,780 and lastly look for test coverage 608 00:22:04,740 --> 00:22:08,280 um so you know a test Suite is a great 609 00:22:06,780 --> 00:22:10,380 indicator that those developers actually 610 00:22:08,280 --> 00:22:13,460 here are working in a professional way 611 00:22:10,380 --> 00:22:16,559 and really care about their work 612 00:22:13,460 --> 00:22:18,120 negative indicators really you just have 613 00:22:16,559 --> 00:22:19,799 to dig into the code and have a look but 614 00:22:18,120 --> 00:22:22,140 that's tricky 615 00:22:19,799 --> 00:22:23,640 um you know go and if you need you know 616 00:22:22,140 --> 00:22:26,100 go out and reach out for help ask your 617 00:22:23,640 --> 00:22:27,480 senior developers and other people in 618 00:22:26,100 --> 00:22:29,100 the community to have a look at a parrot 619 00:22:27,480 --> 00:22:31,140 package and see what they think of the 620 00:22:29,100 --> 00:22:33,260 code does it conform to best practices 621 00:22:31,140 --> 00:22:36,000 Etc 622 00:22:33,260 --> 00:22:38,760 so I've covered a lot of indicators 623 00:22:36,000 --> 00:22:41,720 there luckily there is a really helpful 624 00:22:38,760 --> 00:22:45,179 tool out there called sneak advisor 625 00:22:41,720 --> 00:22:47,460 sneak advisor is essentially a database 626 00:22:45,179 --> 00:22:49,140 of every pipei package out there as well 627 00:22:47,460 --> 00:22:51,380 as actually npm packages and rust 628 00:22:49,140 --> 00:22:53,760 packages and go packages 629 00:22:51,380 --> 00:22:55,440 and you can type in any package that's 630 00:22:53,760 --> 00:22:57,559 on pipe EI and it will give you a report 631 00:22:55,440 --> 00:23:00,419 like you see here 632 00:22:57,559 --> 00:23:02,340 these reports cover a lot of all the 633 00:23:00,419 --> 00:23:03,840 things that I've just talked about in 634 00:23:02,340 --> 00:23:06,600 particular activity and Community 635 00:23:03,840 --> 00:23:07,919 licenses it will have a big flat a big 636 00:23:06,600 --> 00:23:10,260 warning if something is in a 637 00:23:07,919 --> 00:23:12,740 non-permissive license it'll give give 638 00:23:10,260 --> 00:23:16,679 you graphs of popularity over time 639 00:23:12,740 --> 00:23:18,960 commit frequency releases and it will 640 00:23:16,679 --> 00:23:20,880 coalesce all of that into a score so you 641 00:23:18,960 --> 00:23:22,679 can see Django scores very well 96 out 642 00:23:20,880 --> 00:23:24,780 of 100. 643 00:23:22,679 --> 00:23:27,059 um and it gives you like helpful badges 644 00:23:24,780 --> 00:23:29,100 up in the top top right that tell you 645 00:23:27,059 --> 00:23:31,080 where particular packages might fall 646 00:23:29,100 --> 00:23:32,820 down or what you should be aware of so 647 00:23:31,080 --> 00:23:34,740 highly recommend if you're looking at 648 00:23:32,820 --> 00:23:37,520 packages type them into here have a look 649 00:23:34,740 --> 00:23:39,840 and see what it says 650 00:23:37,520 --> 00:23:42,900 so finally if we're looking for 651 00:23:39,840 --> 00:23:44,580 alternatives to pack picture packages 652 00:23:42,900 --> 00:23:46,620 um 653 00:23:44,580 --> 00:23:48,299 let's say that you you don't like a 654 00:23:46,620 --> 00:23:49,799 package it does an unacceptable risk 655 00:23:48,299 --> 00:23:52,980 profile 656 00:23:49,799 --> 00:23:54,840 um how do we find Alternatives so 657 00:23:52,980 --> 00:23:56,520 my first point the first Google result 658 00:23:54,840 --> 00:23:58,620 may not be the best option Google 659 00:23:56,520 --> 00:24:00,419 results are fickle 660 00:23:58,620 --> 00:24:01,860 um and they will frequently give you the 661 00:24:00,419 --> 00:24:05,340 thing that you search for if you search 662 00:24:01,860 --> 00:24:06,840 for you know Django react date picker it 663 00:24:05,340 --> 00:24:09,720 will give you some package called Django 664 00:24:06,840 --> 00:24:10,799 Dash rate Dash react Dash date picker it 665 00:24:09,720 --> 00:24:12,059 won't tell you that you should be 666 00:24:10,799 --> 00:24:13,380 integrating you think about you should 667 00:24:12,059 --> 00:24:15,120 be thinking about those things entirely 668 00:24:13,380 --> 00:24:19,559 separately 669 00:24:15,120 --> 00:24:21,840 um so yeah do do a sort of back to basic 670 00:24:19,559 --> 00:24:25,559 search look for lots of different 671 00:24:21,840 --> 00:24:27,600 keywords do searches on pipei look on 672 00:24:25,559 --> 00:24:29,580 Django packages.org which has been a 673 00:24:27,600 --> 00:24:31,799 long-running fantastic resource that 674 00:24:29,580 --> 00:24:34,620 tells you gives you sort of Matrix views 675 00:24:31,799 --> 00:24:36,120 if you give it a particular topic then 676 00:24:34,620 --> 00:24:38,039 it will give you a view of a whole lot 677 00:24:36,120 --> 00:24:40,740 of different different packages that do 678 00:24:38,039 --> 00:24:42,720 that job ask around ask on forums go to 679 00:24:40,740 --> 00:24:45,260 conference go to conferences and meetups 680 00:24:42,720 --> 00:24:45,260 and talk to people 681 00:24:46,140 --> 00:24:51,320 um finally how do we mitigate risks 682 00:24:49,020 --> 00:24:53,700 every package has some level of risk 683 00:24:51,320 --> 00:24:56,280 most packages will fail at least a few 684 00:24:53,700 --> 00:24:58,500 criteria even good packages die 685 00:24:56,280 --> 00:24:59,880 eventually and sometimes only one 686 00:24:58,500 --> 00:25:02,940 package does the job and it hasn't been 687 00:24:59,880 --> 00:25:05,280 updated since 2013 but we can manage 688 00:25:02,940 --> 00:25:08,520 that risk to some extent 689 00:25:05,280 --> 00:25:10,799 first off licensing risk there's not a 690 00:25:08,520 --> 00:25:12,480 whole lot you can do here I recommend 691 00:25:10,799 --> 00:25:14,100 asking the developers nicely to change 692 00:25:12,480 --> 00:25:14,880 the license this has worked for us in 693 00:25:14,100 --> 00:25:16,799 the past 694 00:25:14,880 --> 00:25:18,299 sometimes developers especially 695 00:25:16,799 --> 00:25:20,280 developers who are new to open source 696 00:25:18,299 --> 00:25:21,960 will look for open source license C GPL 697 00:25:20,280 --> 00:25:23,340 and say yes that's the one because it's 698 00:25:21,960 --> 00:25:25,799 an open source license and not really 699 00:25:23,340 --> 00:25:27,600 understand the ramifications 700 00:25:25,799 --> 00:25:29,039 um so you're filing a support ticket and 701 00:25:27,600 --> 00:25:31,620 asking nicely if they could change it to 702 00:25:29,039 --> 00:25:33,299 a permissive license can be a good 703 00:25:31,620 --> 00:25:36,120 option 704 00:25:33,299 --> 00:25:37,740 that doesn't work talk to a lawyer there 705 00:25:36,120 --> 00:25:40,140 are some ways that sometimes that you 706 00:25:37,740 --> 00:25:43,080 can integrate that code but you have to 707 00:25:40,140 --> 00:25:44,820 be extraordinarily careful with how you 708 00:25:43,080 --> 00:25:48,539 structure it and it really needs a 709 00:25:44,820 --> 00:25:50,700 lawyer involved so generally avoid if 710 00:25:48,539 --> 00:25:52,400 you can but otherwise your company's 711 00:25:50,700 --> 00:25:55,440 lawyers may help 712 00:25:52,400 --> 00:25:58,260 mitigating security risk supply chain 713 00:25:55,440 --> 00:25:59,279 scanning tools these are really handy 714 00:25:58,260 --> 00:26:03,299 they will look through all of your 715 00:25:59,279 --> 00:26:04,440 requirements and give you advice on on 716 00:26:03,299 --> 00:26:06,059 tell you if there are any security 717 00:26:04,440 --> 00:26:09,059 vulnerabilities on on particular 718 00:26:06,059 --> 00:26:11,400 packages a great free one is dependabot 719 00:26:09,059 --> 00:26:13,080 which is free with GitHub there is also 720 00:26:11,400 --> 00:26:15,480 safety which is free for non-commercial 721 00:26:13,080 --> 00:26:16,679 use that's a command line python command 722 00:26:15,480 --> 00:26:19,380 line application that you can run on 723 00:26:16,679 --> 00:26:20,820 your requirements there's also sneak 724 00:26:19,380 --> 00:26:22,620 which you run that sneak advisor 725 00:26:20,820 --> 00:26:24,179 platform they are very expensive but 726 00:26:22,620 --> 00:26:26,039 they're also in the industry later in 727 00:26:24,179 --> 00:26:28,820 the area 728 00:26:26,039 --> 00:26:31,080 um perform careful code review 729 00:26:28,820 --> 00:26:33,600 commission penetration testing if you 730 00:26:31,080 --> 00:26:36,059 have budget you can host your own 731 00:26:33,600 --> 00:26:38,059 package repository to avoid packages 732 00:26:36,059 --> 00:26:40,260 being swapped down under under you 733 00:26:38,059 --> 00:26:42,000 and just generally having a good 734 00:26:40,260 --> 00:26:43,260 security posture on all of your servers 735 00:26:42,000 --> 00:26:45,419 on all of your development machines 736 00:26:43,260 --> 00:26:46,860 install virus scanners do all the things 737 00:26:45,419 --> 00:26:49,220 you should be doing for organizational 738 00:26:46,860 --> 00:26:49,220 security 739 00:26:49,380 --> 00:26:53,059 mitigating maintenance risk pay your 740 00:26:51,299 --> 00:26:55,260 open source developers 741 00:26:53,059 --> 00:26:58,320 Financial contributions are the best way 742 00:26:55,260 --> 00:27:00,720 to keep packages maintained if you can't 743 00:26:58,320 --> 00:27:02,880 pay for your packages contribute to open 744 00:27:00,720 --> 00:27:05,159 source projects in kind so contribute 745 00:27:02,880 --> 00:27:06,659 code you know get your set up your 746 00:27:05,159 --> 00:27:08,520 organization to be able to contribute 747 00:27:06,659 --> 00:27:10,080 back to the open source community 748 00:27:08,520 --> 00:27:11,640 support the work of development 749 00:27:10,080 --> 00:27:13,260 collectives like jazz band which is a 750 00:27:11,640 --> 00:27:16,200 group of developers who collectively 751 00:27:13,260 --> 00:27:17,820 maintain particular packages and if all 752 00:27:16,200 --> 00:27:20,039 else fails you can always vendor a 753 00:27:17,820 --> 00:27:21,480 package and maintain it yourself but 754 00:27:20,039 --> 00:27:22,500 that has its own bundle of risks 755 00:27:21,480 --> 00:27:24,840 involved 756 00:27:22,500 --> 00:27:27,000 and finally quality risk this is one of 757 00:27:24,840 --> 00:27:28,440 the most difficult ones but pinning your 758 00:27:27,000 --> 00:27:30,539 dependencies if you believe that a 759 00:27:28,440 --> 00:27:33,419 package might be sort of prone to 760 00:27:30,539 --> 00:27:34,679 changes between minor versions Etc or 761 00:27:33,419 --> 00:27:36,539 they might not be the best governance 762 00:27:34,679 --> 00:27:39,539 practices in place pin those 763 00:27:36,539 --> 00:27:41,340 dependencies and watch them like a hawk 764 00:27:39,539 --> 00:27:43,260 um code defensively 765 00:27:41,340 --> 00:27:44,220 and write wrapper code to contain 766 00:27:43,260 --> 00:27:46,440 Madness 767 00:27:44,220 --> 00:27:49,559 um so your broad accept statements as 768 00:27:46,440 --> 00:27:50,880 much as pilot will will and um uh will 769 00:27:49,559 --> 00:27:51,900 be annoyed 770 00:27:50,880 --> 00:27:53,159 um you know make sure that you're 771 00:27:51,900 --> 00:27:56,159 capturing everything that can go wrong 772 00:27:53,159 --> 00:27:58,679 in a project in an architectural sense 773 00:27:56,159 --> 00:28:00,299 um and make your own contributions to 774 00:27:58,679 --> 00:28:01,500 help out the maintainers you know be the 775 00:28:00,299 --> 00:28:04,980 change that you want to see in the world 776 00:28:01,500 --> 00:28:07,260 and and make code better 777 00:28:04,980 --> 00:28:09,120 my three key takeaways 778 00:28:07,260 --> 00:28:10,500 know your Project's risk profile make 779 00:28:09,120 --> 00:28:12,960 sure you understand how much risk you 780 00:28:10,500 --> 00:28:14,520 want to take stop and think before every 781 00:28:12,960 --> 00:28:16,860 single pip install 782 00:28:14,520 --> 00:28:18,659 and plan for the long term plan for 783 00:28:16,860 --> 00:28:20,760 maintenance plan for what will your app 784 00:28:18,659 --> 00:28:22,200 will look like in five years 785 00:28:20,760 --> 00:28:23,580 um you know contribute back to the open 786 00:28:22,200 --> 00:28:25,620 source community and make sure that 787 00:28:23,580 --> 00:28:29,480 these packages are maintained long term 788 00:28:25,620 --> 00:28:29,480 and finally watch out for typos 789 00:28:29,760 --> 00:28:31,740 thank you so much 790 00:28:31,480 --> 00:28:34,910 [Music] 791 00:28:31,740 --> 00:28:34,910 [Applause] 792 00:28:36,299 --> 00:28:40,080 thank you for that Evan we do have a 793 00:28:38,400 --> 00:28:41,520 couple of Discord questions but we've 794 00:28:40,080 --> 00:28:43,200 probably only got time for one of them 795 00:28:41,520 --> 00:28:45,299 are you okay with answering the Discord 796 00:28:43,200 --> 00:28:48,120 ones after in a live one now yep 797 00:28:45,299 --> 00:28:50,279 excellent so people on the internet you 798 00:28:48,120 --> 00:28:52,460 heard him he will be replying on Discord 799 00:28:50,279 --> 00:28:55,080 but for the people in the room 800 00:28:52,460 --> 00:28:57,179 one lucky person can ask one lucky 801 00:28:55,080 --> 00:28:59,940 question here we are the lucky winner 802 00:28:57,179 --> 00:29:03,080 the wonderful person in the very well 803 00:28:59,940 --> 00:29:03,080 matching uh mask 804 00:29:03,539 --> 00:29:06,840 um just about the licensing 805 00:29:05,340 --> 00:29:09,299 compatibilities 806 00:29:06,840 --> 00:29:12,779 so uh you had quite a list of there of 807 00:29:09,299 --> 00:29:16,740 the share like licenses but uh like this 808 00:29:12,779 --> 00:29:19,980 is a a Django con so we build websites 809 00:29:16,740 --> 00:29:24,419 we don't distribute code we run the code 810 00:29:19,980 --> 00:29:27,720 on our servers and people access it so 811 00:29:24,419 --> 00:29:30,360 um all uh pretty much all the licenses 812 00:29:27,720 --> 00:29:34,980 there listed are for code that is being 813 00:29:30,360 --> 00:29:40,559 distributed except agpl agpl was created 814 00:29:34,980 --> 00:29:44,580 specifically uh for uh for servers for 815 00:29:40,559 --> 00:29:47,399 services so that if you use GPL if you 816 00:29:44,580 --> 00:29:49,559 use that code to run a service on a web 817 00:29:47,399 --> 00:29:52,200 server then you have to make that code 818 00:29:49,559 --> 00:29:53,340 open source the others you don't have to 819 00:29:52,200 --> 00:29:55,140 worry about because you're not 820 00:29:53,340 --> 00:29:56,460 Distributing in the code so was there a 821 00:29:55,140 --> 00:29:58,080 question there 822 00:29:56,460 --> 00:30:00,840 uh 823 00:29:58,080 --> 00:30:02,940 am I wrong 824 00:30:00,840 --> 00:30:04,919 ask your lawyer 825 00:30:02,940 --> 00:30:08,279 um I'm not going basically my advice is 826 00:30:04,919 --> 00:30:10,159 don't get into like when it comes to GPL 827 00:30:08,279 --> 00:30:12,659 code whether it be any of the variants 828 00:30:10,159 --> 00:30:14,760 don't take any of it for granted be 829 00:30:12,659 --> 00:30:16,500 extremely careful 830 00:30:14,760 --> 00:30:18,899 um and you know you might be able to use 831 00:30:16,500 --> 00:30:20,760 it in your application but it has again 832 00:30:18,899 --> 00:30:24,080 it depends very much on the subtleties 833 00:30:20,760 --> 00:30:27,480 of of the particular license involved 834 00:30:24,080 --> 00:30:28,679 there is no real good catch-all yes you 835 00:30:27,480 --> 00:30:30,600 can absolutely use this if you're 836 00:30:28,679 --> 00:30:32,580 building a web application so yeah um 837 00:30:30,600 --> 00:30:34,679 basically ask your lawyers get approvals 838 00:30:32,580 --> 00:30:37,980 from from the people who really know the 839 00:30:34,679 --> 00:30:39,659 stuff I'm I'm not an expert on that I 840 00:30:37,980 --> 00:30:41,700 tend to just go with if it's permissive 841 00:30:39,659 --> 00:30:45,779 great otherwise 842 00:30:41,700 --> 00:30:48,419 yeah look deeper ask a lawyer 843 00:30:45,779 --> 00:30:49,630 let's thank Evan again for his wonderful 844 00:30:48,419 --> 00:30:50,820 talk 845 00:30:49,630 --> 00:30:55,170 [Music] 846 00:30:50,820 --> 00:30:55,170 [Applause]