Episode 150: Dustin Ingram and the Open Source Security Team at Google

Guest Dustin Ingram Panelists Richard Littauer | Justin Dorfman Show Notes Hello and welcome to Sustain! The podcast where we talk about sustaining open source for the long haul. Joining us today is Dustin Ingram, who’s a Staff Software Engineer on Google’s Open Source Security Team, where he works on improving the security of open source software that Google and the rest of the world relies on. He’s also the director of the Python Software Foundation and maintainer of the Python Package Index. Today, we’ll learn about the Open Source Security Team at Google, what they do, the bill they’ve contributed to for Securing Open Source Software Act of 2022, a rewards program they have to pay maintainers called SOS rewards, and Google’s role in the Sigstore project. Also, Dustin talks about the Python Package Index, he shares his opinion on the difference between security and sustainability, and what he’s most excited about with work going on in the next year or two. Download this episode now to find out more! [00:01:10] Dustin fills us in on the Open Source Security Team at Google, what they do there, how they prioritize which packages to work on, and which security bugs to work on. [00:03:25] We hear about the team at Google working on the bill 4913 Securing Open Source Software Act of 2022. [00:04:18] Justin brings up Dan Lorenc and Sigstore, and we learn Google’s role in this project and making sure it’s adopted more heavily in the supply chain. [00:06:05] Dustin explains the model on how Google is working to make sure these projects stick together, and he tells us how an open source maintainer can make their code more reliable by going to Sigstore and other sites to talk to people. [00:09:26] How does Google prioritize and choose which projects are the most important and where they’re going to dedicate developer time to do that work? [00:11:02] Dustin works on the Python Package Index, and he explains what it is, and with the PSF, how many directors they have, and how much he interfaces with other people there. [00:12:17] We hear how Dustin dealt with the fallout from the backlash that happened during the mandatory multifactor authentication for the critical projects. [00:16:52] When it comes to security, Richard wonders if Dustin has put a lot of thought into different grades of where it exists and who it’s for, as well as if there’s a ten to fifty year plan for the maintainers who move on to do other things and people are not going to be developing at all. [00:19:13] Are there plans around educations for maintainers and communities on how to onboard new maintainers and how to increase security without increasing load time for the maintainers working on their projects? [00:20:21] We hear what the Securing Open Source Software Act is all about. [00:22:21] Now that open source is the dominant distribution, Dustin shares his thoughts on if open source will stop working and explains the real strength of open source. [00:24:09] Richard brings up the US government trying to secure their supply chain, working with future maintainers, code packages, working with foundations to figure out how we secure the ecosystem at a large, and wonders if Dustin sees a way for the government to try and secure open source and not regulate it, but try to figure how to manage it without the help of foundations or package managers. [00:26:56] Dustin shares his opinion on the difference between security and sustainability and what he thinks about that and what he’s most excited about with work going on in the next year or two. [00:30:28] Find out where you can follow Dustin and his work on the web. Quotes [00:03:34] “After Log4j, the government got really spooked because they really didn’t know what software they were consuming, and President Biden did an executive order on securing a nation’s cybersecurity, which was about setting a policy for how the government should consume open source.” [00:08:11] “We also do some other things to make that a little easier for open source maintainers to adopt these technologies.” [00:08:17] “One thing we have is a rewards program called SOS.dev, and that’s a way that maintainers can get paid for doing what we feel is relevant security work.” [00:21:01] “The US government consumes a lot of open source software. They have a dependency on a lot more than most large companies that you can think of.” [00:21:11] “The answer to Log4j is not to stop using open source, it’s to get better practices around determining what you have and just do industry best practices for finding and fixing vulnerabilities.” Spotlight [00:31:17] Justin’s spotlight is some awesome software called Rewind.ai. [00:32:32] Richard’s spotlight is Geoff Huntley. [00:33:36] Dustin’s spotlight is the Mozilla Open Source Support Program. Links SustainOSS SustainOSS Twitter SustainOSS Discourse [email protected] Richard Littauer Twitter Justin Dorfman Twitter Dustin Ingram Twitter Dustin Ingram LinkedIn Dustin Ingram Website Open Source Vulnerability (OSV) Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google Sigstore SOS Rewards Python Package Index (PyPI) Sustain Podcast-Episode 75: Deb Nicholson on the OSI, the future of open source, and SeaGL Open Technology Fund Rewind Geoff Huntley Twitter Explaining NFTs: Geoffrey Huntley interviewed by Coffeezilla about his NFT Bay Heist (YouTube) Mozilla Open Source Support Program Credits Produced by Richard Littauer Edited by Paul M. Bahr at Peachtree Sound Show notes by DeAnn Bahr Peachtree Sound Special Guest: Dustin Ingram.