Blog

3 key takeaways from PyCon US 2024

/
4 mins read
/
May 28, 2024
/ Subscribe

PyCon US, produced by the Python Software Foundation, is the largest and longest-running annual gathering for the community using and developing Python. This year, the conference took place on May 17-19 in Pittsburgh, PA, featuring more than 130 talks and tutorials; 80+ sponsors and community booths, and over 2,000 attendees.

We attended PyCon this year and gave a talk in the Spanish-speaking Charlas track. Below are a few of our key takeaways from this year's conference.

1) The Python community is incredibly welcoming and diverse.

One of the most striking aspects of PyCon US 2024 was its commitment to inclusivity and diversity. The conference featured keynotes from various communities, including PyLadies and Black Python Devs. PyCon also has an entire track dedicated to talks in Spanish, called "charlas"; as native Spanish speakers, we appreciated the opportunity to present our talk in our own language, to the Spanish-speaking Python community. Other keynotes focused on the importance of community and collaboration, with more technical sessions addressing new trends in Generative AI and Python improvements for security and performance.

It was also great to see Python creator Guido van Rossum make a surprise appearance at Meta's booth, emphasizing the event's significance and Meta's support for the Python community. Throughout the exhibition floor, smaller booths showcased a diverse array of companies, projects, and community initiatives, contributing to the conference's lively atmosphere.

A view from the Welcome Hall at PyCon US

2) Security is a major concern and area of focus for Python developers.

Security was a key topic at this year’s conference, highlighting its growing importance within the Python community. Several talks (including ours) were dedicated to enhancing security in Python projects, providing attendees with valuable insights and practical strategies.

One of the key highlights was the discussion on the future support of Sigstore in PyPI. Sigstore, created by Stacklok co-founder and CTO Luke Hinds, is an open-source project that aims to improve the security of the software supply chain by enabling the easy signing and verification of software artifacts. By integrating Sigstore, PyPI aims to ensure that the packages users download are authentic and have not been tampered with, thereby increasing trust and reliability.

Another significant topic was the strengthening of relationships with the Open Source Security Foundation (OpenSSF). OpenSSF is an initiative that focuses on improving the security of open-source software through collaboration across the open-source community. Its goal is to identify and address security vulnerabilities, establish best practices, and foster a culture of security awareness among developers. Enhancing collaboration with OpenSSF helps ensure that Python projects benefit from the latest security research and practices.

PyCon US featured talks on Sigstore, the open source security project created by Stacklok CTO Luke Hinds.

3) Securing open source dependencies is a challenge, but there are a number of free tools available to Python developers to help.

Our talk in the Charlas track focused on securing open-source dependencies in Python. We highlighted best practices and open-source and free tools to help vet the safety and security of open source dependencies. One of those tools includes Stacklok's free-to-use web app, Trusty, which provides data and analysis on the supply chain risk of open source packages in the Python ecosystem (as well as four other language ecosystems). This data includes information about a package's proof of origin, and whether it has been signed using Sigstore.

With over 50 Spanish-speaking attendees, the session was well-received and generated significant interest, with several questions from the audience. In fact, we had so many questions that we even ran out of time! To us, this demonstrated interest from the Python community in this topic and we look forward to continuing to strengthen our security offerings for Python developers.

The conference also highlighted improvements related to the Open Source Vulnerability (OSV) database. OSV is a distributed vulnerability database that provides precise data on malicious open source packages and vulnerabilities; Trusty uses this data (along with other sources) to assess supply chain risk. By integrating OSV, PyPI can offer developers timely and accurate information about vulnerabilities in the packages they use, enabling them to take proactive measures to secure their applications.

Rehearsing for our Charla!

Conclusions

Reflecting on PyCon US 2024, we were struck by the diversity and number of attendees (over 2,700) and the rich programming. The conference highlighted the importance of inclusivity and security within the Python community. The growing number of attendees and the comprehensive range of sessions reflect the dynamic and expanding nature of the Python ecosystem.

Stacklok’s participation and focus on security aligned perfectly with the conference's themes, reinforcing our commitment to supporting a secure and inclusive Python community. We are excited to continue contributing to future PyCon events and to support the vibrant Python community, and look forward to coming back again next year.

Link to Introducing Java support in Trusty: Find safe Maven open source packages for your next Java project

Introducing Java support in Trusty: Find safe Maven open source packages for your next Java project

Brian Dussault /
Dec 20, 2023
Continue Reading
Link to New features in Trusty: Historical provenance, new scoring dimensions, and more

New features in Trusty: Historical provenance, new scoring dimensions, and more

Stacklok Editorial Team /
Jan 17, 2024
Continue Reading
Link to Using OpenFGA to build a relationship-based authorization model in Minder

Using OpenFGA to build a relationship-based authorization model in Minder

Juan Antonio "Ozz" Osorio / Eleftheria Stein-Kousathana /
Feb 7, 2024
Continue Reading