How do you manage your open source dependencies?
Confession - I love Douglas Adams' Hitchhiker's Guide to the Galaxy. It is zany and weird and sometimes (often?) really insightful about human nature. A classic example of this is his creation of the Somebody Else's Problem Field, a cloaking device of the highest caliber described as follows:
An SEP is something we can't see, or don't see, or our brain doesn't let us see, because we think that it's somebody else's problem.... The brain just edits it out, it's like a blind spot. If you look at it directly you won't see it unless you know precisely what it is. Your only hope is to catch it by surprise out of the corner of your eye.
Continuing a bit later,
The Somebody Else's Problem field is simple and effective, and what's more can be run for over a hundred years on a single torch (flashlight) battery. This is because it relies on people's natural disposition not to see anything they don't want to, weren't expecting, or can't explain.
Paraphrased from Douglas Adams' Life, the Universe, and Everything
So where might SEPs be lurking? Well, as a developer who uses and loves Python, I would like to suggest that Somebody Else's Problems might just be lurking in Somebody Else's Python.
You are more likely to know Somebody Else's Python as your open source dependencies. Don't get me wrong, open source is fantastic. It is the building blocks of many of our projects (both personal and professional) and of many of our communities. Open source is amazing!
Open source is amazing, but it should be used with consideration. If open source projects are in your production environments, you have to take responsibility for that code. It may be Someone Else's Python, but you have effectively cosigned a loan with it. You now share in any security issues in the software, known and unknown. It can be a bit sobering, and it can be hard to know what to do about it.
The above risk vs. rewards calculation is one of the reasons that I really enjoy my work with Snyk. Snyk helps developers find and fix vulnerabilities in their open source software. I came into the company as one of a handful of Python enthusiasts, liking the product, and hoping/advocating for increased support for the community.
Today we were excited to announce support for fix pull requests. You can read more about it here. It is my hope that this functionality can help pythonistas confidently and securely use open source software.
Want to try it for yourself? Snyk has a free tier!
You may be working with Somebody Else's Python, but known security issues can be fixed and no longer be problems at all.