generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
200f35b
commit 5bf7201
Showing
1 changed file
with
63 additions
and
0 deletions.
There are no files selected for viewing
63 changes: 63 additions & 0 deletions
63
alpha/engagements/2024/Python Software Foundation/update-2024-09.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # Update 2024-09 | ||
|
|
||
| ## PyCon Taiwan 2024 Keynote | ||
|
|
||
|  | ||
|
|
||
| Seth Larson [keynoted PyCon Taiwan 2024](https://tw.pycon.org/2024/en-us/conference/keynotes), a regional Python conference in Kaohsiung, Taiwan during September 21st through 23rd. | ||
|
|
||
| The talk was titled "Bytes, Pipes, and People" and discussed why open source security is important today and | ||
| the challenges and tools for improving the security posture of a decentralized software ecosystem like Python. | ||
| Slides, an overview, and links to mentioned topics [has been published](https://sethmlarson.dev/pycon-taiwan-2024). | ||
| PyCon Taiwan will publish the recording to [their YouTube channel](https://www.youtube.com/@PyConTaiwanVideo) in a few months. | ||
|
|
||
| The talk was well-received, garnering many questions from the audience during Q&A and after the talk. | ||
|
|
||
| Seth was also a guest on the PyCast podcast in Taiwan for a multi-hour long recording session discussing the | ||
| Security Developer-in-Residence role and Python security. This recording will be published in December. | ||
|
|
||
| ## Open Regulatory Compliance WG: Cyber Resilience Act | ||
|
|
||
| Seth joined the [Open Regulatory Compliance WG](https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg) | ||
| to collaborate on Cyber Resilience Act work-stream, specifically the [horizontal security standards](https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg/cra-topics/-/blob/main/standards.md#horizontal-standards-due-aug-2026) | ||
| for the CRA that are due in August 2026. | ||
|
|
||
| This work will fit in with Seth's plans to create a comprehensive SBOM strategy for Python packages in order to enable | ||
| projects to conform to both the CRA and the Secure Software Development Framework. | ||
|
|
||
| ## Python and Sigstore | ||
|
|
||
| Seth completed the [audit and remediation](https://discuss.python.org/t/cpython-sigstore-bundles-migrated-to-include-checkpoints/63646) of current Sigstore signatures for CPython | ||
| after it was reported by users that the latest Sigstore tooling was failing when verifying | ||
| existing bundles. This required migrating older Sigstore bundles to the newer bundle format | ||
| (v0.3) using custom tooling and then verifying all bundles against their expected identities. | ||
|
|
||
| This work is completed to advance the usage of Sigstore in the Python ecosystem, the technology | ||
| is already being adopted on the Python Package Index side via PEP 740 (index attestations) and | ||
| we'd like to see Sigstore continue to be adopted in the Python ecosystem and elsewhere. | ||
|
|
||
| Seth started the [PEP process by opening a discussion](https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058). This discussion revealed | ||
| a few misunderstandings about Sigstore's feature-set (such as offline verification) from prospective verifiers | ||
| (like Fedora, openSUSE, and Gentoo). The [official documentation for verifying CPython releases with Sigstore](https://www.python.org/downloads/metadata/sigstore/) | ||
| was updated to include a section on how to migrate from GPG to Sigstore, including offline verification and using | ||
| a compiled stand-alone binary like [sigstore-go](https://github.com/sigstore/sigstore-go/). | ||
|
|
||
| Next steps are to draft up a PEP (Python Enhancement Proposal) and have it be reviewed and potentially | ||
| approved by the Steering Council. | ||
|
|
||
| ## Pallets projects joins the PSF CNA umbrella | ||
|
|
||
| The Python Software Foundation CNA has [added fiscal sponsoree Pallets projects](https://pyfound.blogspot.com/2024/08/pallets-projects-now-in-scope-for-psf-cna.html) (such as Flask, Jinja2, Click, etc) | ||
| under our CVE Numbering Authority scoping. This is being done to learn how the PSF can better serve Python's | ||
| large ecosystem of projects in the context of the CVE ecosystem. | ||
|
|
||
| ## Security releases for CPython | ||
|
|
||
| CPython [released 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20](https://discuss.python.org/t/python-3-13-0rc2-3-12-6-3-11-10-3-10-15-3-9-20-and-3-8-20-are-now-available/63161) in September containing fixes for 8 vulnerabilities. | ||
| The updates also fixed multiple vulnerabilities in libexpat and OpenSSL. Using CNA automation tooling the affected ranges for | ||
| all CPython CVEs were automatically updated and fixes are detectable in CPython SBOM documents. | ||
|
|
||
| ## Other items | ||
|
|
||
| * Responded to security reports sent to the Python Security Response Team and CNA duties. | ||
| * Attended call with ONCD discussing our response to the RFI last year and the summary published by ONCD. |