Summary
In this episode of What’s in the SOSS, host Yesenia Yser sits down with Seth Larson, Security Developer-in-Residence at the Python Software Foundation, as he shares his unique perspective on open source security. From his Minneapolis base, Seth discusses his journey from urllib3 maintainer to leading security initiatives across the Python ecosystem. In this episode, we explore how public documentation shapes security work, the importance of supporting maintainers both technically and emotionally, and the art of building trust in open source communities. Seth also shares insights on engaging with academic communities, the evolution of secure-by-default practices, and his approach to making security accessible without disrupting existing workflows. Plus, don’t miss our rapid-fire segment where Seth reveals his love for retro Nintendo games and PyCharm over traditional editors!
Conversation Highlights
00:00 Introduction & Seth’s Background
02:30 The Power of Public Documentation
07:00 Supporting Open Source Maintainers
12:00 Engaging Academic Communities
18:00 Seth’s 10-Year Open Source Journey
22:00 Rapid Fire Round
25:00 Closing Advice
Transcript
Intro Music (00:00)
Seth’s Intro Clip (00:03)
The one message I like to tell people, maintainers of medium and small projects, is you are not alone. It’s totally OK to ask for help, especially from trusted individuals that are doing this work every day.
Yesenia (00:20)
Hello and welcome to What’s in the SOSS, OpenSSF’s podcast where we talk to interesting people throughout the open source ecosystem, sharing their journey, experiences and wisdom. Soy Yesenia, one of your hosts and today I have an extraordinary member of our open source community, an advocate pioneer in the Python Foundation and a leader in our open source world. Welcome Seth.
Seth (00:45)
Thank you so much for having me. This is great.
Yesenia (00:51)
Glad to have you here. Introduce yourself to the audience.
Seth (00:55)
Hello, everyone. My name is Seth Larson. work as the security developer in residence at the Python Software Foundation. I’m based out of Minneapolis, Minnesota area. I contribute to lot of open source projects outside of my work also. like urllib3, lot of things in the HTTP and web and security space. And I love retro video games, specifically Nintendo ones. So…yeah.
Yesenia (01:19)
That might make some interesting rapid fire if I knew that ahead of time.
Seth (01:23)
Well, now you
Yesenia (01:24)
So we’ll just, we’re just gonna edit that in there. So we’ll start off with the questions. I actually love your blogs. I think I’ve told you this before where your blogs are ones that I’ve shared with other folks. I think they’re really great behind the scenes, looking into your security work at the Python Foundation. Share with the audience, like how has documenting your journey publicly just shaped your approach to solving these challenges we see in the open source space?
Seth (01:50)
Yeah, well, first of all, thank you. But yeah, one of my favorite parts of open source software and open knowledge and all that is the sharing, right? Getting to share experiences, share what you learned, share what was hard and what was easy and what you did and what you considered. That’s just one of my favorite parts of it. And so writing is a very natural part of knowledge sharing on the internet.
And so my position at the Python Software Foundation is super unique, right? Like there’s not a whole lot of people that are basically getting paid at open source foundations to do mostly undirected security work, right? Whatever I think is the most important thing to do is what I’m typically working on any given day. And so because that position is so new and so unique, I really thought it was important to put all that information out there about like what I’m doing day to day and what I’m thinking about – just out into the world and then kind of like seeing what people think about it and also there’s other foundations so they’ll have a roadmap just coming into things which is really great. Or, people that are at foundations already are just like, oh, Python’s working on this stuff. Maybe we could work on it or we could credit them and this is some of the work. So the CVE numbering authority guide, that one was really popular. When I share that out.
Tons of other foundations are like, wow, this is great. We’re gonna just use this. And it’s like, this feels really good. We’re all rising tides, right?
Yesenia (03:16)
That’s beautiful. It’s like part of the open source community. Have you seen a lot of, when you release, like a lot of foundations taking that and using that thought leadership that you’ve shared and using that into their own foundations?
Seth (03:28)
Yeah, so the CV guide I know for certain was used by the Linux kernel, curl.The most recent one that used that knowledge base was the Erlang Ecosystem Foundation. They became a CNA recently and they used the guide and it was great. So I just love when other foundations are able to be like, oh, Seth has all this information out there. We’re just gonna like learn from that and then we’re gonna credit them and talk about it and it’s just great.
Yesenia (03:52)
The impact that you’re putting just from these blogs that you’re posting, it’s really great just the documentation. I know you can do it for yourself and I document myself but I don’t put it up there because – just like Creed from the office, no one needs to read my journals.
Seth (04:06)
You should, mean, what is it, like Google? One of my most recent posts, I basically put some structured stuff in that I just pasted a Google Drive doc with a bunch of it. I’m just like, by the way, this is really raw, like unedited, and if it’s useful to you, and it really was useful to some people.
Yesenia (04:24)
Yeah, yeah, I’m sure it’s the crazies in there that would be useful to somebody. Looking into the open source many individual maintainers they juggle security concerns on top of their core contributions and I know this is something that within this week we’ve talked about what have you found most efficient when it comes to supporting them both technically and emotionally throughout the work with and with. Throughout their work within the Python ecosystem or just outside of open source.
Seth (04:49)
Yes, I think like the one message I like to tell people, maintainers of medium and small projects, is you are not alone. I think that there is this inherent quality to security work, which is almost isolating. vulnerability reports, there’s the isolation aspect of the information, because you don’t want to cause harm. That’s totally fine, but it is totally still OK to ask for help, especially from trusted individuals that are doing this work every day, so if you need help with, a reporter came to me, what do I do next? And you’re just not quite sure. It’s okay to reach out to someone, and it has happened to me multiple times where projects reach out and they say, we need help with just doing this for the first time. And that’s totally fine. So don’t feel like, just because it’s security work, that it needs to be done within the confines of this project, you’re not alone.
From a technical perspective, I really like to keep close to the principles of like, building infrastructure, which is like when you build infrastructure, your users shouldn’t even know that you’re there, kind of, right? Like they should be able to achieve all the outcomes that they want without having to think about all the stuff that you’ve done. And so that’s things like secure by default, right? And taking the workflows that people are already doing and making those secure, not trying to migrate a bunch of users onto this new workflow that happens to be secure, right? And so that’s a real big challenge, especially because there’s a lot of stuff out there that maybe isn’t secure by default right now. It’s like how do you make that secure by default without disrupting user workflows? And so I think that’s the challenge of my work and a lot of open source security work. But yeah, that’s what I tend to keep close to me whenever I’m designing these systems.
Yesenia (06:34)
Yeah, and it’s interesting because it is, at least from what I’ve seen in the open source space and containers are very isolated. They just go, they create this awesome innovation. They put it out there and some of them not even aware of the different communities that are in there. So engaging with open source communities in these proactive security issues, it just can be challenging. And you mentioned trust and finding these folks, but for folks that may not know or aware of these open source communities – or the fact that this is a possibility, it could be just a kid that was in college and put this out and it went mainstream for some good reason. It’s very innovative, it’s making difference in the world, but how do you foster collaboration and the trust with these contributors who may not have a security background, who may not know open source is available out there?
Seth (07:25)
Yeah, so I’ll take the scientific computing community, like sub-community within Python as an example here, because that community has an extremely strong I would say like domain focus right. So you have like professors and grad students and all like these people are like maintaining these projects like no pie side pie all of that right. And so they are incredibly talented and smart and can do software but then it’s like OK now you’re expecting security to also happen from them and that’s that’s quite a difficult ask for someone that is already like world class expert in so many domains already can’t just keep on adding more requirements for expertise there.
And so what I try to do in those situations is I try to find the people that are interested in security in that community. And there typically are a handful of people that are working on security in a sub-community. And I work with them, and I try to make it so that I can translate what I’ve learned from my own work, either with CPython or with other Python packages, and translate that into something that is useful for that community, because they tend to have different needs and so we need to remix the content or how do we roll this out or what sorts of tools are being used there that’s different than a typical Python project because there’s lots of differences.
And by partnering with those sub-community experts that are willing to work with me on security, we see a lot of success. So we can translate, okay, here are the needs of this community, here’s how we can create a guide for securely publishing to PyPI a scientific computing project and here’s what you need to know and we can boil it down really easily and then people that are interested in that community can then take that guide and try to contribute to those projects instead of requiring like the maintainers themselves to be the ones that are doing all the security work.
Yesenia (09:16)
That’s such a good way because like academic is very isolated and then in most universities there are the cybersecurity or the specialties in that space so bringing them into the conversation and just not security as a requirement, but there’s other pieces like quality assurance and testing that come into play when you’re building out software. So I think that’s a very smart approach. like going into these communities, especially academics, because they’re going to be the next movers of these innovative pieces, the highly sophisticated ones, because they’re so hyper-focused on this innovation in that space that they’re researching and studying. So big kudos to our academic innovators out there – Yeah, we’re flying right now.
A lot of this stuff couldn’t be done without you and we’re here to be able to give you that support that you need. But I think that’s a genius way of coming in and I know part of the conversations from this week, we’re at the Open Source Summit and we do need to bring all these different subject matter experts and not just have that one maintainer expand their knowledge because then they become a generalist and they can’t focus on that innovative piece. So I think that’s a really great way of starting at the academics because the majority of us, there’s the traditional path of education and then there’s some of my favorite people are the free learners or self-taught individuals.
Looking back at your own path and security from contributor to engineer what are moments or lessons that help you gain confidence and clarity about your role in protecting open source projects?
Seth (10:48)
Yeah, so it’s kind of funny because I still feel like a relative newcomer to open source. But, then I looked back on the contribution graphs and I’m like, oh, I’ve been doing this for almost 10 years now. I don’t think I can call myself a newcomer anymore. But yeah.
Yesenia (11:04)
It feels like yesterday.
Seth (11:05)
Oh, right. I know. I remember the first time I flashed Ubuntu to my Windows laptop and I was so afraid. But yeah, I think that the biggest thing that informed me doing security work now is all of the work that I did on small and medium sized projects before doing all of this, So like, urlib3 was probably the most prominent one. at one point, and still to this day, it’s like the top three downloaded projects on PyPI. So the security concerns there, the impact of something bad were to happen, it was quite high. And so we took security very, it was a very cautious approach with everything. And I think using that project as kind of a vehicle for adopting a lot of the new open SSF stuff that was being put out five years ago and learning through that project – and especially like the experiences and the restrictions and like what sorts of resources and time do those sorts of projects have? What are the maintainers of those projects thinking about? Because I was the maintainer in that situation. Like all of those experiences have really informed everything that I do now. And so I think that especially – it’s a really, really big benefit for me – especially working on like standards and like going to other projects having had that history, especially in the Python ecosystem itself, where I can go to a project and the people that are there already will say like, oh well, we trust Seth. We know that he has these experiences. We know that he’s not going to suggest something that’s unsustainable. We know that he’s taking our concerns into account, even if it’s not like him asking for every little thing that they need from me or from a project, right?
And that it’s just like, it’s like greases the wheels, right? It makes it so that there’s that really high level of emotional trust that whatever I’m suggesting or whatever I’m proposing this project do is probably in their best interest and is not going to be this issue later where the work gets done and then they’re on the hook for maintaining it long term. And so I think that that’s probably like the biggest thing that has helped me in this role.
Yesenia (13:22)
Yeah, 10 years, 10 years in the open source. I mean, I’ve been somebody the other day was like, you have a lot of security experience – and I was like, I do?! And then I looked back and I was like 12 years and I was like, oh, I do…like how does that…
Seth (13:34)
Yes, You do.
Yesenia (13:35)
I was like, really? yeah. I think it’s like the imposter syndrome and the humbleness, I guess. But if you want to share a little bit about your journey, 10 years in the open source space is quite a journey.
Seth (13:47)
Yeah, I mean, it is all from my love of the web. I think that was kind of like the original place where I got started was the web. so finding this project, urllib3, I was very lucky to have a great maintainer in Cory Benfield. He was, at the time, the current lead for urllib3. And he saw me contributing to a bunch of HTTP and web Python projects and was able to take me in. And then I started contributing to urllib3 for many years. And then eventually it was made a lead. And now I’ve made the full transition. Now I’m still a maintainer of urllib3, but I’m no longer the lead. We’re in such a great place with multiple maintainers that we’re actually wanting to have a new lead so they can start learning what that means to be a lead maintainer for a project versus just a person that’s keeping lights on maintainer and be able to mentor that individual.
So, it’s passing the baton. It’s been a lot of fun.
Yesenia (14:45)
Yeah, the way I like to say it is you’re bringing down the elevator for the next person.
Seth (14:50)
Yes. Yes.
Yesenia (14:51)
Sometimes you climb really high. So you’re going to the stairs – I don’t like cardio, so I’ll bring down the elevator for the accessibility. I’ll send the elevator down for the accessibility of folks, because not everybody can walk up the stairs. But cool, let’s move on to the rapid fire. We just have way too much fun with this.
First question is gonna be, I don’t know, VIM or Emac?
Seth (15:20)
Neither. [laughing]
Yesenia (15:24)
[laughing] What’s your choice?
Seth (15:28)
I like an IDE. I like PyCharm. I do almost everything in PyCharm. I even write in PyCharm. Google Docs. Is that a valid answer? [laughing]
Yesenia (15:40)
Don’t age yourself now. [laughing]
Seth (15:42)
It’s surprising. The funny thing, I don’t do a lot of programming day to day. It’s a lot of writing standards and writing blog posts and talking to people. And yeah, it’s a lot more of that than it is programming.
Yesenia (15:55)
Yeah, definitely. I know the 10-year-old me with my Dell desktop was more on the Vim and eMac, but I haven’t seen that in years.
Seth (16:05)
I think the answer is PyCharm. That’s my answer.
Yesenia (16:09)
Your answer’s sticking to it. Favorite retro video game?
Seth (16:12)
Oh, wow. Well, right now, the recent favorite is Pikmin 2 for the Nintendo GameCube. I’m playing through this game four separate times because there’s four separate regions and they’re all different in meaningful ways. So I’m just playing through that game a lot right now and that’s what I’m into.
Yesenia (16:34)
Ok, Have you ever played Earthbound?
Seth (16:38)
I’ve not played Earthbound, but I know that it is a work of art and that I have missed out in not playing it.
Yesenia (16:43)
It’s the chef’s kiss. I love Earthbound. There’s a few other ones that I’m like, it’s deep in there. It’s very cached in my brain. Probably archived and like encrypted at this point, but we’re in there. Throw away the key – we don’t know where it is. I’ve lost the private key.
Next question, Marvel or DC?
Seth (17:07)
Oh, you know, that’s a tough one. I think I just got to go with Marvel because it’s just where I’ve spent the most time. I don’t read a lot of comics, but I do watch movies. So I’ve watched a lot of Marvel movies.
Yesenia (17:23)
The investment is there. The investment’s with the Marvel. Favorite kind of contributor: Document writers, bug fixer, or feature builder?
Seth (17:34)
I mean contributing to a project that is very old. I’m going to say bug fixer. I mean documentation and bugs like don’t. Yeah, you know I love a feature but, we’re good. We’re OK for now. I think
Yesenia (17:49)
So you heard it from Seth: If you’re looking to get into open source, document writing or fixing a bug!
Seth (17:56)
Find a bug – bugs are really great. I mean it teaches you if you see a bug end to end in a new code base like you learn so much.
It’s really, really good.
Yesenia (18:06)
Next question. Best way to grow projects, social media, conferences, or contributors?
Seth (18:11)
You know, I wish I knew the answer to this. That sounds really useful.
Yesenia (18:17)
I wish we all did.
Seth (18:18)
Yeah, mean, does anyone know the answer to this?
Yesenia (18:22)
Phone a friend.
Seth (18:23)
Yeah, I think the best way to grow projects is to make plenty of space for people to own stuff.
Yesenia (18:31)
That’s good answer.
Seth (18:32)
Yeah, because that’s exactly what happened with me, right? Where you’re very quickly trusted as a contributor and someone who’s able to review features. And I think that that sort of trust in contributors, you come back one or two times and it’s like, okay, well here, now you have this ability to review stuff. We want you to review things. That’s pretty powerful.
Yesenia (18:54)
Yeah, it’s definitely the way I got in was just somebody’s like, I’m gonna trust you to do this. And I’m like, good luck. And here we are.
Seth (19:04)
Look what happened.
Yesenia (19:05)
Look what happened. That trust.
Seth (19:07)
It’s a hack.
Yesenia (19:08)
It is a hack. Last one and this one’s for chaos.
GIF or JIF?
Seth (19:15)
It’s gotta be GIF, right? It’s gotta be GIF. It’s gotta be. I don’t know. Is that one controversial?
Yesenia (19:22)
I heard it’s controversial. We got some head nods in the room.
Seth (19:27)
GIF.
Yesenia (19:27)
GIF.
Seth (19:28)
Yeah.
Yesenia (19:29)
See, I say JIF.
Seth (19:30)
Oh, well.
Yesenia (19:31)
Potato, potato, tomato, tomato.
Seth (19:34)
I should have asked before.
Yesenia (19:36)
You can’t know the secret answers.
Well there you have it folks, another rapid fire. We’re just having way too much fun with this one. I told Seth that we could just make noises. So here we are folks, I hope you’re enjoying and getting a good laugh out of this. Seth, any last minute advice or thoughts for the audience before we close out?
Seth (20:02)
Find an open source project that makes you happy and figure out a way to contribute to it. I mean, it doesn’t have to be like this big flashy project. Like big flashy projects, they’re great. But there’s like so many cool little projects. Like there’s like a QR code library that I’m really in love with and I’m just like, that is such a cool project. I would love to contribute more to that project. So find a cool little project and just contribute a little bit and then just see what happens after that. It’s really a great thing.
Yesenia (20:32)
Yeah, boost up your GitHub contributor points on something that makes you happy and you never know who you’ll meet.
Seth, I appreciate your time. Thank you for your impact and contribution as a community. It’s a huge thing every time I see one of your posts and things moving. Many thanks to the members of our community. Because of your efforts, we’re able to drive these projects forward and have these space. thank you, Seth. And we’ll see you on the next one, folks.
Seth (21:00)
Yeah. Thanks so much for having me. This has been so fun.