Skip to content

Latest commit

 

History

History
41 lines (32 loc) · 2.61 KB

update-2024-10.md

File metadata and controls

41 lines (32 loc) · 2.61 KB

Update 2024-10

Seth was under the weather not once but twice in October 🤧

PEP 761: Deprecation of PGP for CPython artifacts

Seth authored PEP 761, including leading the expected pre-PEP and PEP discussions. The PEP was received positively by CPython core developers and release managers. The discussions included downstream verifiers like Python container image and Linux package distribution maintainers.

During the discussions the feasibility and blockers for these downstream verifiers adopting Sigstore was discussed, including dispelling myths around offline verification, how Sigstore worked, and the availability of tools to verify the signatures. Seth forwarded feedback to Sigstore maintainers. Overall, despite requiring some work by downstream verifiers to adopt Sigstore I believe the discussions were productive.

The earliest version that could remove PGP signatures is Python 3.14 pending a decision from the Python Steering Council.

Media: Open Source Security podcast, We Love Open Source, CVE

  • Seth was a guest on the Open Source Security podcast talking about the engagement with Alpha-Omega, including work on Sigstore and SBOMs.
  • While attending All Things Open, Seth was invited as a guest on the "We Love Open Source" podcast for a quick segment on Open Source security and sustainability.
  • Seth was quoted in the CVE 25th Anniversary report on the involvement of open source.

Other items

  • Authored early draft for Alpha-Omega annual report summary and details to be used as an example.
  • Added support for macOS 10.13 and earlier to the Truststore package. Updated pip to use the new version of Truststore. This was the only major issue reported after pip switched to using Truststore by default.
  • Started work on "SBOMs in Python packages" PEP to prepare for a pre-PEP discussion.
  • Drafted a reply with legal counsel to federal agencies requesting SSDF attestations.
  • Met with Marty Haught from Rubygems on building a culture of security.
  • Published advisory for CVE-2024-9287
  • Reviewed PEP 751 (Python lock files) for additions to add dependency graph data. This data is useful for Software Bill-of-Materials generation using lock files to set proper dependency information.