Skip to content

Home

  • Profile photo for Paul Brabban Paul Brabban, Lead Consultant at Equal Experts

    With experience in software development, data engineering and machine learning, I specialise in data-intensive problems and decentralised data engineering at scale. My experience extends to leading teams, technical architecture and product development. Find out more about my experience and publications in my portfolio.

    Contact me to see how I can help at paul@tempered.works.

How to get pwned with --extra-index-url

A diagram illustrating a dependency confusion attack using Python's pip. The layout compares a "private registry" hosting a safe package (version 0.0.1) against a "public registry" hosting a malicious package of the same name (version 1.0.0). An arrow from the private registry is labeled "nope, too old," while an arrow from the public registry is labeled "winner!" pointing to the user's computer. The computer is stamped "COMPROMISED" because pip prioritized the higher version number found on the public index.
Illustration of Dependency Confusion. When using --extra-index-url, pip checks all configured indexes and defaults to installing the package with the highest version number, allowing a public attacker to supersede internal packages.

Python's built-in pip package manager has a dangerous behaviour when used with private package registries. If you specify your private registry with the --extra-index-url flag (there are other dangerous variants too), an attacker can publish a malicious package with the same name and a higher version to PyPI, and their package will be installed.

This post confirms that the vulnerability (CVE-2018-20225 7.8 HIGH) is still a problem today and introduces a test suite and publicly-available test packages that you can use to more easily confirm the safety - or not - of your own setup.

BigQuery, safer by default from September 2025

A snippet of an email from Google, showing the change in BigQuery project quota defaults

On September 1st 2025, Google will make BigQuery a lot safer by default, changing the default quotas for projects under the default on-demand pricing model. Instead of unlimited financial damage, the default for new projects will be around $1000 per day. Existing projects will be updated to a custom limit based on prior 30-day usage. No changes to existing limits.

  • Thanks to Equal Experts logo for supporting this content.

GitHub Codespaces, one year later

A screenshot of the GitHub web UI option to create a new Codespace on main

Back in early 2024 I tried GitHub Codespaces, and quickly ditched my local dev setup entirely. This post shares my experience going cloud-native for development: benefits for onboarding, agility, and security, alongside the real-world snags like network dependency and unexpected billing quirks.

My path to consultancy

A country road stretches off into the sunny, leafy distance as my little boy cycles his favourite route home from school

I had big doubts about becoming a consultant or contractor. Could I do it? Would I find work? Could I run my own business? Would I need to change who I am, wear a suit, or buy a briefcase? Seven years have flown by since I took the plunge, so I'm going to share my story in case it's helpful for you!

Rethinking the guest network to improve my home network security

Network diagram showing the internet connected to a router, linked to four devices: tablet, mobile phone, laptop, and IoT device.

I believe that making my guest network my default network reduces the potential harm a compromised app or device can cause. What was my "trusted" network is now my "untrusted" network, with only a few low-risk devices that really need local network connectivity connected to it, isolated from other devices that matter like my phone and work laptop.

It's a simple change in how I use my home network, and does not require in-depth knowledge and experience. Having operated this way at home for a few months now, I've found little impact on day-to-day usability, but it's really helped me sleep better at night. I'll explain what I changed, why, and how I've adjusted my wider thinking on my home network security to take better advantage of this approach.

  • Thanks to Equal Experts logo for supporting this content.

Generating portable and user-friendly identifiers

A screenshot of the BigQuery console, with example SQL for generating an identfier from a string value as I outline below

I'll share how I generate unique identifiers from data in 2025, avoiding the pitfalls I've seen along the way. TL;DR: I'm using MD5 to produce a digest from a string or bytes value, then I'm using plain old hexadecimal encoding of that digest, specifying upper or lowercase for the alpha characters. This solution meets the needs I describe next.

  • Thanks to Equal Experts logo for supporting this content.

Testing stored procedures

hero image

Update August 2025

Since writing this post, I've found a clean way to handle stored procedures and their outputs for dbt users by treating them as materializations. This makes testing them as straightforward as testing any other dbt model. Read more in UDAFs, stored procedures and more in dbt.

Whilst I've used and written about UDFs a lot, I can't recall ever having a reason to work with stored procedures. When I was asked how I'd go about wrapping them in automation and testing, I thought it'd be a good excuse to take a look and see how I might go about testing them!