Security Developer‑in‑Residence Weekly Report #22

This critical role would not be possible without funding from the OpenSSF Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

This week was all about working on Software Bill-of-Materials tooling and documentation for CPython. I published a new resource to the CPython core developer guide. This documents Software Bill-of-Materials and all of the tooling and processes for adding, updating, and removing dependencies. I'll continue to add to this document as more is developed in this project.

During an upgrade to CPython's ensurepip module, the bundled pip wheel was upgraded to version 23.3.2 however during the upgrade there was some confusion about what to do with an SBOM CI failure due to the Developer Guide documentation not yet being live. This resulted in the SBOM becoming out-of-date.

I fixed the SBOM ahead of the 3.13.0a3 release and automated the pip SBOM metadata discovery since pip is a part of a packaging ecosystem which isn't the case for most of CPython dependencies in the source tree.

Next steps for the SBOM infrastructure for CPython include adding Windows dependencies into the SBOMs released for the Windows installers and doing discovery work on macOS installers.

Other items§

• The OpenSSF published its annual report for 2023 which contained a bunch of highlights from the Python ecosystem and Alpha-Omega's engagement with the Python Software Foundation (including all the work I've done this year!) Give it a read if you're interested in a one-stop-shop for big things happening in the open source ecosystem.
• Switched to using make regen-configure for the CPython release process now that the Makefile target is available for all currently supported CPython release streams.
• Reviewed the secret scanning payload proposed by GitGuardian. This payload would allow PyPI to alert users when secrets are uploaded with donated secret scanning expertise from GitGuardian.

That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.

Wow, you made it to the end! ...and you're thinking, what now?

• Share your thoughts on Mastodon, email, or Bluesky.
• Follow this blog on RSS or the email newsletter.
• Browse this blog’s archive of 140 entries.
• Check out this list of cool stuff I found on the internet.
• Go outside (best option)