From 37976343e759202b69977904b3cd98ee605ed3b0 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Thu, 29 Aug 2024 12:17:21 -0500 Subject: [PATCH] Add PSF update for August 2024 Signed-off-by: Seth Michael Larson --- .../update-2024-08.md | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 alpha/engagements/2024/Python Software Foundation/update-2024-08.md diff --git a/alpha/engagements/2024/Python Software Foundation/update-2024-08.md b/alpha/engagements/2024/Python Software Foundation/update-2024-08.md new file mode 100644 index 00000000..22762237 --- /dev/null +++ b/alpha/engagements/2024/Python Software Foundation/update-2024-08.md @@ -0,0 +1,66 @@ +# Update 2024-08 + +## Talk Python podcast on Supply Chain Security and Python Language Summit 2024 + +Seth was a guest on [Talk Python Podcast](https://open.spotify.com/episode/0a06wRawm4xZGIDEN4ZOqa?si=f61f3348959841b3) (#1 Python podcast) talking about +supply chain security for CPython and the Python Language Summit. + +## Sigstore bundle migration for CPython + +We [received a report](https://github.com/python/cpython/issues/122785) that some CPython Sigstore bundles were receiving concerning errors during verification. +This was due to the bundles being generated with an old version of the Python Sigstore client that didn't +generate a standards-compliant bundle (because there was no such standard at the time!) so now the latest +Sigstore clients reject the bundle. + +To remedy this, Seth [upgraded the Sigstore CLI](https://github.com/python/release-tools/pull/159) in use for the CPython release process to the latest version +and worked on a back-fill script which Python release managers will run to in-place upgrade the Sigstore +bundles without requiring re-signing of the artifacts. Seth has authored a blog post for what we learned +during this process along with tips on managing user-generated Sigstore signatures. + +## CPython SBOM conformance to upcoming CISA standards for SBOM + +The [final draft](https://docs.google.com/document/d/1z8hKtPxs5OWaspst120NHN9XXgyULGl2aKdSebwIYPc) for CISA's "Establishing a Common Software Bill of Materials document" +was shared in the OpenSSF SBOM Everywhere WG. I evaluated the current SBOMs we're generating for +CPython and compared them to the document's new maturity model for SBOMs: + +* Author Name, Timestamp, Primary Component, Component Name and Version, Supplier Name, + Unique Identifier, Cryptographic Hash, Relationship, and Redacted items were the highest maturity level. +* Heritage, License, Copyright Notice, and SBOM Type are areas of improvement for our SBOMs. + +Seth [created a GitHub issue](https://github.com/python/cpython/issues/123038) to address these gaps once the guidance is finally published. + +## CVE Numbering Authority (CNA) + +Pallets, the organization that maintains the popular Python packages Flask, Click, Quart, Werkzeug, among others +requested to be scoped under the PSF CNA. After some discovery and discussion with folks involved with +CVE we have decided to move forward with an updated scope. The updates to our CNA scope, website, and processes +are ready to go pending MITRE's approval of our scope change. + +This foray into supporting projects beyond CPython and pip with our CNA is an experiment into how we can better +serve the Python package ecosystem. Seth authored an announcement blog post that will be published once the change is finalized. + +The PSF CNA also onboarded the new PSF Infrastructure engineer Jacob Coffee as +a CNA operator and point-of-contact. We updated our point-of-contact list according to +the latest CNA rules (adding phone numbers for multiple PoCs). +Jacob took the CNA onboarding training we created and created his first advisory and +CVE records. + +Published advisories for [CVE-2024-6923](https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/), +[CVE-2024-7592](https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/), +and [CVE-2024-8088](https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/). + +## PyCon Taiwan 2024 + +Seth Larson is keynoting [PyCon Taiwan 2024](https://tw.pycon.org/2024/en-us/about) on the topic of Python supply chain security in late September. +Spent a chunk of time preparing slides and the presentation this month. + +## Other items + +* Alpha-Omega grant was renewed through 2024, see announcement blog post: + * https://pyfound.blogspot.com/2024/08/security-developer-in-residence-role.html +* August was the last month of Google Summer of Code. Seth's mentee Nate Ohlson [submitted his final report of the project](http://nohlson.com/blog/CPython-Compiler-Hardening-Summer-Retrospective/) + for adopting the OpenSSF C/C++ compiler options hardening guide into CPython. +* Authored vulnerability fixes for IPv4-mapped IPv6 addresses, reviewed email quoting fix, zipfile infinite loop. +* Submitted a CVE rejection request for bogus pandas CVE (CVE-2024-42992) which was accepted. +* Reviewed packaging standards for [PEP 710](https://peps.python.org/pep-0710/) (index installation records), + [PEP 751](https://peps.python.org/pep-0751/) (Python lock files), and [PEP 752](https://peps.python.org/pep-0752/) (Package index reserved prefixes).