From 5bf72013b7a87ab15a668e89f34f20b4182b0b25 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Fri, 27 Sep 2024 14:45:23 -0500 Subject: [PATCH] Add engagement for PSF Sept 2024 --- .../update-2024-09.md | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 alpha/engagements/2024/Python Software Foundation/update-2024-09.md diff --git a/alpha/engagements/2024/Python Software Foundation/update-2024-09.md b/alpha/engagements/2024/Python Software Foundation/update-2024-09.md new file mode 100644 index 00000000..9cb6ec45 --- /dev/null +++ b/alpha/engagements/2024/Python Software Foundation/update-2024-09.md @@ -0,0 +1,63 @@ +# Update 2024-09 + +## PyCon Taiwan 2024 Keynote + +![](https://storage.googleapis.com/sethmlarson-dev-static-assets/IMG_9994.PNG) + +Seth Larson [keynoted PyCon Taiwan 2024](https://tw.pycon.org/2024/en-us/conference/keynotes), a regional Python conference in Kaohsiung, Taiwan during September 21st through 23rd. + +The talk was titled "Bytes, Pipes, and People" and discussed why open source security is important today and +the challenges and tools for improving the security posture of a decentralized software ecosystem like Python. +Slides, an overview, and links to mentioned topics [has been published](https://sethmlarson.dev/pycon-taiwan-2024). +PyCon Taiwan will publish the recording to [their YouTube channel](https://www.youtube.com/@PyConTaiwanVideo) in a few months. + +The talk was well-received, garnering many questions from the audience during Q&A and after the talk. + +Seth was also a guest on the PyCast podcast in Taiwan for a multi-hour long recording session discussing the +Security Developer-in-Residence role and Python security. This recording will be published in December. + +## Open Regulatory Compliance WG: Cyber Resilience Act + +Seth joined the [Open Regulatory Compliance WG](https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg) +to collaborate on Cyber Resilience Act work-stream, specifically the [horizontal security standards](https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg/cra-topics/-/blob/main/standards.md#horizontal-standards-due-aug-2026) +for the CRA that are due in August 2026. + +This work will fit in with Seth's plans to create a comprehensive SBOM strategy for Python packages in order to enable +projects to conform to both the CRA and the Secure Software Development Framework. + +## Python and Sigstore + +Seth completed the [audit and remediation](https://discuss.python.org/t/cpython-sigstore-bundles-migrated-to-include-checkpoints/63646) of current Sigstore signatures for CPython +after it was reported by users that the latest Sigstore tooling was failing when verifying +existing bundles. This required migrating older Sigstore bundles to the newer bundle format +(v0.3) using custom tooling and then verifying all bundles against their expected identities. + +This work is completed to advance the usage of Sigstore in the Python ecosystem, the technology +is already being adopted on the Python Package Index side via PEP 740 (index attestations) and +we'd like to see Sigstore continue to be adopted in the Python ecosystem and elsewhere. + +Seth started the [PEP process by opening a discussion](https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058). This discussion revealed +a few misunderstandings about Sigstore's feature-set (such as offline verification) from prospective verifiers +(like Fedora, openSUSE, and Gentoo). The [official documentation for verifying CPython releases with Sigstore](https://www.python.org/downloads/metadata/sigstore/) +was updated to include a section on how to migrate from GPG to Sigstore, including offline verification and using +a compiled stand-alone binary like [sigstore-go](https://github.com/sigstore/sigstore-go/). + +Next steps are to draft up a PEP (Python Enhancement Proposal) and have it be reviewed and potentially +approved by the Steering Council. + +## Pallets projects joins the PSF CNA umbrella + +The Python Software Foundation CNA has [added fiscal sponsoree Pallets projects](https://pyfound.blogspot.com/2024/08/pallets-projects-now-in-scope-for-psf-cna.html) (such as Flask, Jinja2, Click, etc) +under our CVE Numbering Authority scoping. This is being done to learn how the PSF can better serve Python's +large ecosystem of projects in the context of the CVE ecosystem. + +## Security releases for CPython + +CPython [released 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20](https://discuss.python.org/t/python-3-13-0rc2-3-12-6-3-11-10-3-10-15-3-9-20-and-3-8-20-are-now-available/63161) in September containing fixes for 8 vulnerabilities. +The updates also fixed multiple vulnerabilities in libexpat and OpenSSL. Using CNA automation tooling the affected ranges for +all CPython CVEs were automatically updated and fixes are detectable in CPython SBOM documents. + +## Other items + +* Responded to security reports sent to the Python Security Response Team and CNA duties. +* Attended call with ONCD discussing our response to the RFI last year and the summary published by ONCD.