Engagement update for PSF Sept 2024

sethmlarson · sethmlarson · commit ba94c891092e · 2024-09-27T14:46:09.000-05:00
Signed-off-by: Seth Michael Larson &lt;seth@python.org&gt;
diff --git a/alpha/engagements/2024/Python Software Foundation/update-2024-09.md b/alpha/engagements/2024/Python Software Foundation/update-2024-09.md
@@ -0,0 +1,63 @@
+# Update 2024-09
+
+## PyCon Taiwan 2024 Keynote
+
+![](https://storage.googleapis.com/sethmlarson-dev-static-assets/IMG_9994.PNG)
+
+Seth Larson [keynoted PyCon Taiwan 2024](https://tw.pycon.org/2024/en-us/conference/keynotes), a regional Python conference in Kaohsiung, Taiwan during September 21st through 23rd.
+
+The talk was titled "Bytes, Pipes, and People" and discussed why open source security is important today and
+the challenges and tools for improving the security posture of a decentralized software ecosystem like Python.
+Slides, an overview, and links to mentioned topics [has been published](https://sethmlarson.dev/pycon-taiwan-2024).
+PyCon Taiwan will publish the recording to [their YouTube channel](https://www.youtube.com/@PyConTaiwanVideo) in a few months. 
+
+The talk was well-received, garnering many questions from the audience during Q&A and after the talk.
+
+Seth was also a guest on the PyCast podcast in Taiwan for a multi-hour long recording session discussing the
+Security Developer-in-Residence role and Python security. This recording will be published in December.
+
+## Open Regulatory Compliance WG: Cyber Resilience Act
+
+Seth joined the [Open Regulatory Compliance WG](https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg)
+to collaborate on Cyber Resilience Act work-stream, specifically the [horizontal security standards](https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg/cra-topics/-/blob/main/standards.md#horizontal-standards-due-aug-2026)
+for the CRA that are due in August 2026.
+
+This work will fit in with Seth's plans to create a comprehensive SBOM strategy for Python packages in order to enable
+projects to conform to both the CRA and the Secure Software Development Framework.
+
+## Python and Sigstore
+
+Seth completed the [audit and remediation](https://discuss.python.org/t/cpython-sigstore-bundles-migrated-to-include-checkpoints/63646) of current Sigstore signatures for CPython
+after it was reported by users that the latest Sigstore tooling was failing when verifying
+existing bundles. This required migrating older Sigstore bundles to the newer bundle format
+(v0.3) using custom tooling and then verifying all bundles against their expected identities. 
+
+This work is completed to advance the usage of Sigstore in the Python ecosystem, the technology
+is already being adopted on the Python Package Index side via PEP 740 (index attestations) and
+we'd like to see Sigstore continue to be adopted in the Python ecosystem and elsewhere.
+
+Seth started the [PEP process by opening a discussion](https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058). This discussion revealed
+a few misunderstandings about Sigstore's feature-set (such as offline verification) from prospective verifiers
+(like Fedora, openSUSE, and Gentoo). The [official documentation for verifying CPython releases with Sigstore](https://www.python.org/downloads/metadata/sigstore/)
+was updated to include a section on how to migrate from GPG to Sigstore, including offline verification and using
+a compiled stand-alone binary like [sigstore-go](https://github.com/sigstore/sigstore-go/).
+
+Next steps are to draft up a PEP (Python Enhancement Proposal) and have it be reviewed and potentially
+approved by the Steering Council.
+
+## Pallets projects joins the PSF CNA umbrella
+
+The Python Software Foundation CNA has [added fiscal sponsoree Pallets projects](https://pyfound.blogspot.com/2024/08/pallets-projects-now-in-scope-for-psf-cna.html) (such as Flask, Jinja2, Click, etc)
+under our CVE Numbering Authority scoping. This is being done to learn how the PSF can better serve Python's
+large ecosystem of projects in the context of the CVE ecosystem.
+
+## Security releases for CPython
+
+CPython [released 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20](https://discuss.python.org/t/python-3-13-0rc2-3-12-6-3-11-10-3-10-15-3-9-20-and-3-8-20-are-now-available/63161) in September containing fixes for 8 vulnerabilities.
+The updates also fixed multiple vulnerabilities in libexpat and OpenSSL. Using CNA automation tooling the affected ranges for
+all CPython CVEs were automatically updated and fixes are detectable in CPython SBOM documents.
+
+## Other items
+
+* Responded to security reports sent to the Python Security Response Team and CNA duties.
+* Attended call with ONCD discussing our response to the RFI last year and the summary published by ONCD.
