generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Seth Michael Larson <[email protected]>
- Loading branch information
1 parent
8167392
commit 3797634
Showing
1 changed file
with
66 additions
and
0 deletions.
There are no files selected for viewing
66 changes: 66 additions & 0 deletions
66
alpha/engagements/2024/Python Software Foundation/update-2024-08.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| # Update 2024-08 | ||
|
|
||
| ## Talk Python podcast on Supply Chain Security and Python Language Summit 2024 | ||
|
|
||
| Seth was a guest on [Talk Python Podcast](https://open.spotify.com/episode/0a06wRawm4xZGIDEN4ZOqa?si=f61f3348959841b3) (#1 Python podcast) talking about | ||
| supply chain security for CPython and the Python Language Summit. | ||
|
|
||
| ## Sigstore bundle migration for CPython | ||
|
|
||
| We [received a report](https://github.com/python/cpython/issues/122785) that some CPython Sigstore bundles were receiving concerning errors during verification. | ||
| This was due to the bundles being generated with an old version of the Python Sigstore client that didn't | ||
| generate a standards-compliant bundle (because there was no such standard at the time!) so now the latest | ||
| Sigstore clients reject the bundle. | ||
|
|
||
| To remedy this, Seth [upgraded the Sigstore CLI](https://github.com/python/release-tools/pull/159) in use for the CPython release process to the latest version | ||
| and worked on a back-fill script which Python release managers will run to in-place upgrade the Sigstore | ||
| bundles without requiring re-signing of the artifacts. Seth has authored a blog post for what we learned | ||
| during this process along with tips on managing user-generated Sigstore signatures. | ||
|
|
||
| ## CPython SBOM conformance to upcoming CISA standards for SBOM | ||
|
|
||
| The [final draft](https://docs.google.com/document/d/1z8hKtPxs5OWaspst120NHN9XXgyULGl2aKdSebwIYPc) for CISA's "Establishing a Common Software Bill of Materials document" | ||
| was shared in the OpenSSF SBOM Everywhere WG. I evaluated the current SBOMs we're generating for | ||
| CPython and compared them to the document's new maturity model for SBOMs: | ||
|
|
||
| * Author Name, Timestamp, Primary Component, Component Name and Version, Supplier Name, | ||
| Unique Identifier, Cryptographic Hash, Relationship, and Redacted items were the highest maturity level. | ||
| * Heritage, License, Copyright Notice, and SBOM Type are areas of improvement for our SBOMs. | ||
|
|
||
| Seth [created a GitHub issue](https://github.com/python/cpython/issues/123038) to address these gaps once the guidance is finally published. | ||
|
|
||
| ## CVE Numbering Authority (CNA) | ||
|
|
||
| Pallets, the organization that maintains the popular Python packages Flask, Click, Quart, Werkzeug, among others | ||
| requested to be scoped under the PSF CNA. After some discovery and discussion with folks involved with | ||
| CVE we have decided to move forward with an updated scope. The updates to our CNA scope, website, and processes | ||
| are ready to go pending MITRE's approval of our scope change. | ||
|
|
||
| This foray into supporting projects beyond CPython and pip with our CNA is an experiment into how we can better | ||
| serve the Python package ecosystem. Seth authored an announcement blog post that will be published once the change is finalized. | ||
|
|
||
| The PSF CNA also onboarded the new PSF Infrastructure engineer Jacob Coffee as | ||
| a CNA operator and point-of-contact. We updated our point-of-contact list according to | ||
| the latest CNA rules (adding phone numbers for multiple PoCs). | ||
| Jacob took the CNA onboarding training we created and created his first advisory and | ||
| CVE records. | ||
|
|
||
| Published advisories for [CVE-2024-6923](https://mail.python.org/archives/list/[email protected]/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/), | ||
| [CVE-2024-7592](https://mail.python.org/archives/list/[email protected]/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/), | ||
| and [CVE-2024-8088](https://mail.python.org/archives/list/[email protected]/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/). | ||
|
|
||
| ## PyCon Taiwan 2024 | ||
|
|
||
| Seth Larson is keynoting [PyCon Taiwan 2024](https://tw.pycon.org/2024/en-us/about) on the topic of Python supply chain security in late September. | ||
| Spent a chunk of time preparing slides and the presentation this month. | ||
|
|
||
| ## Other items | ||
|
|
||
| * Alpha-Omega grant was renewed through 2024, see announcement blog post: | ||
| * https://pyfound.blogspot.com/2024/08/security-developer-in-residence-role.html | ||
| * August was the last month of Google Summer of Code. Seth's mentee Nate Ohlson [submitted his final report of the project](http://nohlson.com/blog/CPython-Compiler-Hardening-Summer-Retrospective/) | ||
| for adopting the OpenSSF C/C++ compiler options hardening guide into CPython. | ||
| * Authored vulnerability fixes for IPv4-mapped IPv6 addresses, reviewed email quoting fix, zipfile infinite loop. | ||
| * Submitted a CVE rejection request for bogus pandas CVE (CVE-2024-42992) which was accepted. | ||
| * Reviewed packaging standards for [PEP 710](https://peps.python.org/pep-0710/) (index installation records), | ||
| [PEP 751](https://peps.python.org/pep-0751/) (Python lock files), and [PEP 752](https://peps.python.org/pep-0752/) (Package index reserved prefixes). |