Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add PSF update for August 2024 #410

Merged
merged 1 commit into from
Sep 3, 2024
Merged

Add PSF update for August 2024 #410

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions alpha/engagements/2024/Python Software Foundation/update-2024-08.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Update 2024-08

## Talk Python podcast on Supply Chain Security and Python Language Summit 2024

Seth was a guest on [Talk Python Podcast](https://open.spotify.com/episode/0a06wRawm4xZGIDEN4ZOqa?si=f61f3348959841b3) (#1 Python podcast) talking about
supply chain security for CPython and the Python Language Summit.

## Sigstore bundle migration for CPython

We [received a report](https://github.com/python/cpython/issues/122785) that some CPython Sigstore bundles were receiving concerning errors during verification.
This was due to the bundles being generated with an old version of the Python Sigstore client that didn't
generate a standards-compliant bundle (because there was no such standard at the time!) so now the latest
Sigstore clients reject the bundle.

To remedy this, Seth [upgraded the Sigstore CLI](https://github.com/python/release-tools/pull/159) in use for the CPython release process to the latest version
and worked on a back-fill script which Python release managers will run to in-place upgrade the Sigstore
bundles without requiring re-signing of the artifacts. Seth has authored a blog post for what we learned
during this process along with tips on managing user-generated Sigstore signatures.

## CPython SBOM conformance to upcoming CISA standards for SBOM

The [final draft](https://docs.google.com/document/d/1z8hKtPxs5OWaspst120NHN9XXgyULGl2aKdSebwIYPc) for CISA's "Establishing a Common Software Bill of Materials document"
was shared in the OpenSSF SBOM Everywhere WG. I evaluated the current SBOMs we're generating for
CPython and compared them to the document's new maturity model for SBOMs:

* Author Name, Timestamp, Primary Component, Component Name and Version, Supplier Name,
Unique Identifier, Cryptographic Hash, Relationship, and Redacted items were the highest maturity level.
* Heritage, License, Copyright Notice, and SBOM Type are areas of improvement for our SBOMs.

Seth [created a GitHub issue](https://github.com/python/cpython/issues/123038) to address these gaps once the guidance is finally published.

## CVE Numbering Authority (CNA)

Pallets, the organization that maintains the popular Python packages Flask, Click, Quart, Werkzeug, among others
requested to be scoped under the PSF CNA. After some discovery and discussion with folks involved with
CVE we have decided to move forward with an updated scope. The updates to our CNA scope, website, and processes
are ready to go pending MITRE's approval of our scope change.

This foray into supporting projects beyond CPython and pip with our CNA is an experiment into how we can better
serve the Python package ecosystem. Seth authored an announcement blog post that will be published once the change is finalized.

The PSF CNA also onboarded the new PSF Infrastructure engineer Jacob Coffee as
a CNA operator and point-of-contact. We updated our point-of-contact list according to
the latest CNA rules (adding phone numbers for multiple PoCs).
Jacob took the CNA onboarding training we created and created his first advisory and
CVE records.

Published advisories for [CVE-2024-6923](https://mail.python.org/archives/list/[email protected]/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/),
[CVE-2024-7592](https://mail.python.org/archives/list/[email protected]/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/),
and [CVE-2024-8088](https://mail.python.org/archives/list/[email protected]/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/).

## PyCon Taiwan 2024

Seth Larson is keynoting [PyCon Taiwan 2024](https://tw.pycon.org/2024/en-us/about) on the topic of Python supply chain security in late September.
Spent a chunk of time preparing slides and the presentation this month.

## Other items

* Alpha-Omega grant was renewed through 2024, see announcement blog post:
* https://pyfound.blogspot.com/2024/08/security-developer-in-residence-role.html
* August was the last month of Google Summer of Code. Seth's mentee Nate Ohlson [submitted his final report of the project](http://nohlson.com/blog/CPython-Compiler-Hardening-Summer-Retrospective/)
for adopting the OpenSSF C/C++ compiler options hardening guide into CPython.
* Authored vulnerability fixes for IPv4-mapped IPv6 addresses, reviewed email quoting fix, zipfile infinite loop.
* Submitted a CVE rejection request for bogus pandas CVE (CVE-2024-42992) which was accepted.
* Reviewed packaging standards for [PEP 710](https://peps.python.org/pep-0710/) (index installation records),
[PEP 751](https://peps.python.org/pep-0751/) (Python lock files), and [PEP 752](https://peps.python.org/pep-0752/) (Package index reserved prefixes).
Loading