The highlight of this month for any Pythonista is PyCon US 2024, the largest community gathering of Python developers in the world. Security Developer-in-Residence Seth Larson attended PyCon US and delivered a talk on "State of Python Supply Chain Security" with Michael Winser to a packed conference room and appeared on the main conference stage for the "Meet the Python Software Foundation Security Engineers" segment alongside PyPI Safety Engineer Mike Fiedler.
Seth's plans for the year ahead include collaborating with Python open source project maintainers, mainly adoption of security best practices, software bill-of-materials, and build provenance across the Python packaging ecosystem. Seth met with maintainers of large Python project communities like Python Packaging Authority (PyPA), Jazzband, Pallets, Conda Forge, and scientific computing to discuss the year ahead.
Seth attended the Python Language Summit to discuss CPython's security model for contributors and co-hosted an open space on Vulnerability Management with GitHub Security and CVE board member Madison Oliver.
Shortly after PyCon US had wrapped it was announced that Seth Larson would be keynoting PyCon Taiwan 2024 in September to talk about Software Supply Chain Security.
Google Summer of Code 2024 recently published its program and among the projects and contributors accepted was CPython's project for adopting the Hardened Compiler Options Guide for C/C++. Seth is mentoring the contributor through the process of contributing to CPython and hopefully being successful in adopting the OpenSSF hardened compiler options guide.
- Windows artifacts on python.org will have Software Bill-of-Materials documents after the next CPython release. Final step of uploading the documents to python.org has been merged.
- SBOM generation has been added to the Windows build scripts for core developers using Windows.
- Separated the build, testing, and documentation stages of the CPython release process which reduced the dependencies on the source build by ~660.
- SOSS Community Day talks "Embrace the differences: securing OSS ecosystems where they are" and the TTX Session have been uploaded to YouTube.
- Working on PyCon US 2024 talk slides with Michael Winser.
- Co-authoring the "Trusted Publishing for All Package Repositories" guide for the OpenSSF Securing Software Repos WG.
- Submitted a few bugfixes and released Truststore, upgraded pip's vendored copy.
- Upgrading pip to use Truststore by default.
- Triaging reports to the Python Security Response Team
- Published two blog posts to the personal blog.