This month's primary focus has been in the Python Security Response Team (PSRT) processes and membership policy. Today, this group is fairly loosely organized and doesn't have a membership policy which would be useful for both promoting new members and removing members who are no longer contributing to the PSRT.
The long-term vision is to adopt GitHub Security Advisories as a ticketing system for tracking vulnerability reports and assign a single "Coordinator" to each ticket to ensure there's clear ownership of each report and who is responsible for taking a report end-to-end through the process, either by marking the report as not a vulnerability or getting a fix and publishing an advisory.
- Author a PEP on PSRT membership policy and expectations, receive sponsorship of the PEP from Python Steering Council member Gregory P. Smith. Currently this PEP is being reviewed by PSRT and will be updated and posted publicly for discussion before it's acceptance.
- Update the PSRT developer guide documentation with the new process including the "Coordinator" role.
- Create a small GitHub app that handles the gaps in features from GitHub Security Advisories.
- Enable GitHub Security Advisories for the CPython repo and begin experimenting with processes.
The "Trusted Publishers for All Package Repositories" guide has been accepted and published by the OpenSSF Securing Software Repositories Working Group. I've authored the announcement blog post for the OpenSSF blog. This guide has garnered interest from other package repository maintainers looking to add Trusted Publishers as a new security feature.
An effort that started before the Security Developer-in-Residence role, pip now in v24.2 uses the system trust store of certificates by default instead of the static Mozilla CA bundle provided by certifi.
This makes pip behave similarly to other applications on a system by using the trust policy defined at the system level instead of a per-application trust policy. Corporate proxies now /just work/ out of the box without modifying pip and revoked certificates now propagate to the application automatically rather than requiring a manual update to certifi.
- Authored and submitted grant renewal to Alpha-Omega for the next 6 months which included PSRT work, SBOM strategy for Python packages, and macOS SBOM+release automation for CPython.
- Authored fixes and advisories for two vulnerabilities, tarfile header decoding and socketpair authentication.
- Invited as a panelist to the "Maintainers Read the CRA" group representing the Python Software Foundation and specifically "Open Source Foundations".
- Google Summer of Code mentoring: only one more month after July. Contributor is making great progress, passed their midterm evaluation and is continuing to move forwards on adopting the C/C++ compiler options hardening guide in CPython.
- Planning logistics for PyCon Taiwan to keynote about software supply chain security in Python.