On Dec. 7th, Tidelift VP of Product, Lauren Hanford, sat down with urllib3’s lead maintainer, Seth Michael Larson, to discuss the maintenance and security strategies of one of Python’s most downloaded projects (250 million downloads a month!). Below are some of the highlights and to hear the whole story, you can watch the webinar on-demand now.
Working with Tidelift
The conversation kicked off with a discussion of the work required to maintain and secure urllib3. Seth highlighted how Tidelift makes streamlining processes and staying on top of security easier, allowing his team to free up time to spend on proactive maintenance strategies.
He emphasized, “Tidelift being able to step in to help with the stuff that’s not as fun to deal with—CVEs and all of that—is really, really helpful.”
Additionally, having a co-maintainer, Quentin Pradet, helps ease the stress of maintaining such a popular project. “And that’s another huge thing, having this ability to offer up someone—who is really important to the project—money to stick around and help support it is incredible,” he added.
The invisible work done to secure urllib3
There’s a ton of work under the surface being done to keep urllib3 maintained and secure, and with a solid team at the ready to respond to threats, it makes crisis handling much more plausible and easier. Seth recounted the Codecov data breach and the importance of having a team of people to tackle this issue right away.
“Codecov essentially had environment variables dumped in a data breach. Any project that had used their product, which we had, over all that time had environment variables that were compromised, and that includes GitHub repository secrets and stuff like that. So what we did is essentially, because of the way we have things configured, you can just rotate our keys. The same day we heard that that dropped, we rotated our keys probably within hours of that being dropped.”
“You can’t have that sort of response time if you don’t have a team of people waiting at the ready, all moments of the day. And we really do have a response team—we have a Discord channel where all of us sit in and talk a good amount of the day. It’s good to have people around that are watching. Because the other side of it is, what if we haven’t even heard that it had happened? Like Codecov isn’t going to come to us and tell us personally that this happened. They kind of just posted a blog post and hoped that people would just see it. So we luckily did and we acted on that.”
Throughout the rest of the webinar, Seth dives deeper into industry standards, the Python community, urllib3 2.0 alpha, and much more. To explore these topics and learn more about what’s in the cards for urllib3, you can watch the short webinar. And if you are interested in seeing more of what Seth is up to, check out his blog here.
At Tidelift we believe that partnering with maintainers and making sure they get paid is critical to open source software supply chain resilience. To learn more about the Tidelift Subscription and how we partner with maintainers, you can follow this link.