update-2024-02.md

Update 2024-02

Highlight: CPython Software Bill-of-Materials documents now available

CPython 3.12.2 is the first release to have SBOMs for source artifacts!

• Published announcement on the PSF blog
• Adding support for SBOMs for Windows artifacts is complete and awaiting reviews from Windows release managers, pull requests are completed.
• Support for macOS artifact SBOMs and Vulnerability Exchange is next after Windows SBOMs are done.
• Published user documentation for CPython SBOM documents.
• Worked closely with release managers, pip maintainers, and downstream distributors of CPython (mostly Fedora) to create a sustainable workflow.
• Presented on the status and challenges to the OpenSSF SBOM Everywhere SIG.

Conferences, Talks, and Blogs

• Registered for OSS Summit North America, SOSS Community Day NA, and PyCon US 2024.
• Speaking at SOSS Community Day NA, which just published its schedule. My talk is titled "Embrace the Differences: Securing Open Source Ecosystems Where They Are".
• Speaking at a sponsored talk by Alpha-Omega with Alpha-Omega cofounder Michael Wisner at PyCon US 2024 which also just published its schedule. The talk title is "State of Python Supply Chain Security".
• I'm planning on running an open space at PyCon US 2024 with Madison Oliver on the Open Source vulnerability ecosystem and tools specifically for open source maintainers. Look forward to that if you're attending PyCon US 2024.
• Reviewed the OpenSSF blog post "Linux Kernel Achieves CVE Numbering Authority Status"
• Published 4 weekly update blog posts:
  • CPython 3.12.2 is SBOM-ified!
  • Challenges while building SBOM infrastructure for CPython
  • Windows SBOM work and Alpha-Omega 2023 annual report
  • Security Developer-in-Residence Weekly Report #31

Other items

• White House published a report on memory safety this week. I read the report and interested folks may be interested in my own writing on Python as a memory safe programming language. From my analytics this article is receiving more attention following the White Houses' publication.
• Linux was announced as a CVE Numbering Authority this week. The guide I authored on becoming a CVE Numbering Authority as an Open Source project was highlighted by Greg Kroah-Hartman in a blog post and on the Open Source Security podcast.
• Reviewed the Python package lock file updated proposal from Brett Cannon.
• Coming up with potential security-related projects for Python and Google Summer of Code.
• Working on grant renewal with Alpha-Omega for the Python Software Foundation.