Dependency management: the cause of—and solution to—all supply chain problems
How many dependencies does your software project have? How much confidence do you have in them? We sometimes say in open source there is safety in ‘eyes on the code’, but with supply chain attacks on the rise, who is really watching?
Most software is built with hundreds if not thousands of direct and transitive dependencies, and those dependencies change every day. Our analysis shows that up to 20% of PyPI packages change their dependency graphs multiple times per week. Ensuring that each one of these dependencies is trustworthy is a daunting task.
In this talk, we will share some stats and stories from building deps.dev. We will look at what it means for a project to be healthy, dig into the complexities of dependency resolution algorithms, and recommend tools that can make practical dependency management possible if not easy.
See this talk and many more by getting your ticket to PyCon AU now!
I want a ticket!Dr Nicky Ringland is a Product Manager working in open source security at Google. She describes herself as a recovering Computational Linguist - having earned a PhD in Computer Science from the University of Sydney, (her thesis involved thinking hard about the names of things, then training a computer to do the thinking for her). She previously co-founded Grok Learning - a startup with a mission to teach students to solve problems with code. Named one of Australia's inaugural “Superstars of STEM” and an Australian Financial Review 'Women of Influence', Nicky is passionate about teaching the next generation the skills they need to become the creators of tomorrow, while building a healthy, diverse community for them to thrive in.