Seth Larson keynoted PyCon Taiwan 2024, a regional Python conference in Kaohsiung, Taiwan during September 21st through 23rd.
The talk was titled "Bytes, Pipes, and People" and discussed why open source security is important today and the challenges and tools for improving the security posture of a decentralized software ecosystem like Python. Slides, an overview, and links to mentioned topics has been published. PyCon Taiwan will publish the recording to their YouTube channel in a few months.
The talk was well-received, garnering many questions from the audience during Q&A and after the talk.
Seth was also a guest on the PyCast podcast in Taiwan for a multi-hour long recording session discussing the Security Developer-in-Residence role and Python security. This recording will be published in December.
Seth joined the Open Regulatory Compliance WG to collaborate on Cyber Resilience Act work-stream, specifically the horizontal security standards for the CRA that are due in August 2026.
This work will fit in with Seth's plans to create a comprehensive SBOM strategy for Python packages in order to enable projects to conform to both the CRA and the Secure Software Development Framework.
Seth completed the audit and remediation of current Sigstore signatures for CPython after it was reported by users that the latest Sigstore tooling was failing when verifying existing bundles. This required migrating older Sigstore bundles to the newer bundle format (v0.3) using custom tooling and then verifying all bundles against their expected identities.
This work is completed to advance the usage of Sigstore in the Python ecosystem, the technology is already being adopted on the Python Package Index side via PEP 740 (index attestations) and we'd like to see Sigstore continue to be adopted in the Python ecosystem and elsewhere.
Seth started the PEP process by opening a discussion. This discussion revealed a few misunderstandings about Sigstore's feature-set (such as offline verification) from prospective verifiers (like Fedora, openSUSE, and Gentoo). The official documentation for verifying CPython releases with Sigstore was updated to include a section on how to migrate from GPG to Sigstore, including offline verification and using a compiled stand-alone binary like sigstore-go.
Next steps are to draft up a PEP (Python Enhancement Proposal) and have it be reviewed and potentially approved by the Steering Council.
The Python Software Foundation CNA has added fiscal sponsoree Pallets projects (such as Flask, Jinja2, Click, etc) under our CVE Numbering Authority scoping. This is being done to learn how the PSF can better serve Python's large ecosystem of projects in the context of the CVE ecosystem.
CPython released 3.12.6, 3.11.10, 3.10.15, 3.9.20, and 3.8.20 in September containing fixes for 8 vulnerabilities. The updates also fixed multiple vulnerabilities in libexpat and OpenSSL. Using CNA automation tooling the affected ranges for all CPython CVEs were automatically updated and fixes are detectable in CPython SBOM documents.
- Responded to security reports sent to the Python Security Response Team and CNA duties.
- Attended call with ONCD discussing our response to the RFI last year and the summary published by ONCD.