Python Developer-in-Residence Łukasz Langa was able to dry-run, review, and merge the longstanding pull request to automate the source and docs builds in GitHub Actions. This automation is serving as the base for future improvements to the hardening of the CPython release process.
The newly automated release process was used successfully for CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a6. Release managers have requested further automation of the builds which signals that this improvement to security is also making release managers' lives easier.
Now that the build is automated, I've begun improving the process first by splitting the build and test phases and secondly by splitting the source build and docs builds due to the vast difference in number of dependencies and supply chain criticality (source requires far fewer and is more important).
Created a proposal for allowing any release manager to create a CPython release. This would include migrating to a machine-identity instead of human identity for Sigstore signatures. Plan is to add provenance to the source build to prevent tampering after the build has completed. Current process is to sign the artifacts on the release managers' machine which is a window of opportunity for the artifact to be modified.
Have worked with Windows release manager Steve Dower on getting Windows SBOM documents generating for CPython. Windows SBOM documents now get generated, and uploaded. I also canonicalized the generation of the source and dependency SBOM documents on Windows where paths and newlines are different.
The next set of CPython releases should include SBOMs for Windows artifacts (embedded and MSI).
The macOS binary installer is the only remaining artifact to not have SBOMs. I have plans with release managers Ned Deily and Łukasz Langa to work on the macOS release process at PyCon US. After this we can consider CPython completely SBOM-ified!
I attended SOSS Community Day and OSS Summit and was in Seattle from April 14th to 19th. Gave a talk at SOSS Community Day: "Embrace the Differences: Securing software ecosystems where they are" I also participated in the OpenSSF Tabletop Session and played the role as "open source maintainer".
I met the entire Alpha-Omega cohort, attended the Alpha-Omega discussion session.
- Planning a talk for PyCon US 2024 with Michael Winser titled "State of Python Supply Chain Security"
- Planning an open space for PyCon US 2024 with Madison Oliver for helping Python project maintainers and users with vulnerability management.
Published two blog posts to my blog:
- Reviewed PEP 740 (Support for digital attestations on PyPI). This is a prerequisite for publish and build provenance on PyPI. Plan is to add support for publish provenance with the official PyPI GitHub Actions upload.
- Reviewed PEP 543 revival effort
- Reviewed the Google Summer of Code proposals for my project "OpenSSF Hardened Compiler Options for C/C++" for CPython
- Participated in too many discussions to count about the xz-utils backdoor. Wrote up my thoughts and published them.
- Created pull request and backported libexpat 2.6.2 upgrade to mitigate a vulnerability.
- Added support for Python 3.13 to Truststore and submitted 2 bug fixes. This project is being used as a basis for PEP 543 revival.
- Triaged and coordinated reports to the Python Security Response Team.