Skip to content

Engagement update for PSF 2024-09 #420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 7, 2024
Merged

Engagement update for PSF 2024-09 #420

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions alpha/engagements/2024/Python Software Foundation/update-2024-09.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Update 2024-09

## PyCon Taiwan 2024 Keynote

![](https://storage.googleapis.com/sethmlarson-dev-static-assets/IMG_9994.PNG)

Seth Larson [keynoted PyCon Taiwan 2024](https://tw.pycon.org/2024/en-us/conference/keynotes), a regional Python conference in Kaohsiung, Taiwan during September 21st through 23rd.

The talk was titled "Bytes, Pipes, and People" and discussed why open source security is important today and
the challenges and tools for improving the security posture of a decentralized software ecosystem like Python.
Slides, an overview, and links to mentioned topics [has been published](https://sethmlarson.dev/pycon-taiwan-2024).
PyCon Taiwan will publish the recording to [their YouTube channel](https://www.youtube.com/@PyConTaiwanVideo) in a few months.

The talk was well-received, garnering many questions from the audience during Q&A and after the talk.

Seth was also a guest on the PyCast podcast in Taiwan for a multi-hour long recording session discussing the
Security Developer-in-Residence role and Python security. This recording will be published in December.

## Open Regulatory Compliance WG: Cyber Resilience Act

Seth joined the [Open Regulatory Compliance WG](https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg)
to collaborate on Cyber Resilience Act work-stream, specifically the [horizontal security standards](https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg/cra-topics/-/blob/main/standards.md#horizontal-standards-due-aug-2026)
for the CRA that are due in August 2026.

This work will fit in with Seth's plans to create a comprehensive SBOM strategy for Python packages in order to enable
projects to conform to both the CRA and the Secure Software Development Framework.

## Python and Sigstore

Seth completed the [audit and remediation](https://discuss.python.org/t/cpython-sigstore-bundles-migrated-to-include-checkpoints/63646) of current Sigstore signatures for CPython
after it was reported by users that the latest Sigstore tooling was failing when verifying
existing bundles. This required migrating older Sigstore bundles to the newer bundle format
(v0.3) using custom tooling and then verifying all bundles against their expected identities.

This work is completed to advance the usage of Sigstore in the Python ecosystem, the technology
is already being adopted on the Python Package Index side via PEP 740 (index attestations) and
we'd like to see Sigstore continue to be adopted in the Python ecosystem and elsewhere.

Seth started the [PEP process by opening a discussion](https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058). This discussion revealed
a few misunderstandings about Sigstore's feature-set (such as offline verification) from prospective verifiers
(like Fedora, openSUSE, and Gentoo). The [official documentation for verifying CPython releases with Sigstore](https://www.python.org/downloads/metadata/sigstore/)
was updated to include a section on how to migrate from GPG to Sigstore, including offline verification and using
a compiled stand-alone binary like [sigstore-go](https://github.com/sigstore/sigstore-go/).

Next steps are to draft up a PEP (Python Enhancement Proposal) and have it be reviewed and potentially
approved by the Steering Council.

## Pallets projects joins the PSF CNA umbrella

The Python Software Foundation CNA has [added fiscal sponsoree Pallets projects](https://pyfound.blogspot.com/2024/08/pallets-projects-now-in-scope-for-psf-cna.html) (such as Flask, Jinja2, Click, etc)
under our CVE Numbering Authority scoping. This is being done to learn how the PSF can better serve Python's
large ecosystem of projects in the context of the CVE ecosystem.

## Security releases for CPython

CPython [released 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20](https://discuss.python.org/t/python-3-13-0rc2-3-12-6-3-11-10-3-10-15-3-9-20-and-3-8-20-are-now-available/63161) in September containing fixes for 8 vulnerabilities.
The updates also fixed multiple vulnerabilities in libexpat and OpenSSL. Using CNA automation tooling the affected ranges for
all CPython CVEs were automatically updated and fixes are detectable in CPython SBOM documents.

## Other items

* Responded to security reports sent to the Python Security Response Team and CNA duties.
* Attended call with ONCD discussing our response to the RFI last year and the summary published by ONCD.
Loading