This critical role would not be possible without funding from the Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!
Windows artifacts for CPython get built using Azure Pipelines so the generation of the final SBOM for Windows artifacts should also be added to these workflows.
Part of the workflows is to download source code for dependencies like OpenSSL, libffi, and more.
These dependencies and their versions are tracked in a file named get_externals.bat
in a unintentionally parseable format
that the CPython SBOM tooling can extract and generate an SBOM file for. This works in a similar way
to the "checked-in" source dependencies where any changes require the partial SBOM to be regenerated
and acknowledged by core developers during PR review.
The plan is to find this SBOM during the Windows release build and then depending on
which libraries have been pulled locally by get_externals.bat
an SBOM will be generated
for the Windows artifact.
After chatting with Steve Dower it seems that the Windows build happens once and then is repackaged into all the different distribution methods (python.org, Windows store, Nuget, etc) so we'll only need to generate the Windows-specific SBOM once and then reuse it for each distribution method.
I also removed regen-sbom
makefile target from regen-all
to avoid breaking downstream distributors.
Alpha-Omega published its 2023 annual report this week and there's a ton of goodness inside, including lots of mentions of the Python Software Foundation and my own work. I contributed content to this report last year, so I'm excited to see it published.
One quote regarding my current role:
Alpha-Omega has helped fund security champion roles at the Python Software Foundation, the Eclipse Foundation, and the Rust Foundation. In all cases, we are seeing significant impact as these individuals are incubating a security culture in their respective communities.
Both Deb Nicholson, the executive director of the PSF and I were quoted in the report, take a look if you're interested in what Alpha-Omega has next in 2024.
That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.
Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.
This work is licensed under