This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!
OpenSSF Day Europe 2023
If you haven't heard, I'm presenting on my work as the Security Developer-in-Residence at OpenSSF Day Europe 2023 along with Cheuk Ting Ho. You can register to attend the conference virtually if you haven't already. I'll be in the chat answering questions throughout the conference, hope to see you there!
The past few weeks I've been finishing slides, recording my video, and collaborating with my co-presenter 🚀
Truststore
It was a big week for Truststore!
This week I added support for PyPy 3.10 to Truststore
since PyPy implements their SSLContext class differently
than CPython this required an unfortunate hack after trying
and failing to find a cleaner method that allowed isinstance(ctx, ssl.SSLContext)
to work.
I updated the PR to vendor Truststore into pip, the first step towards getting pip to use Truststore by default.
PDM also released v2.9.0 recently which uses Truststore by default on Python 3.10+. This would explain the recent skyrocket of installs.
Finally, Conda appears to be evaluating using Truststore by default as well! 🥳 I spoke with Jannis Leidel to confirm that I was happy with Conda moving forward with using Truststore as a dependency.
Other items
- Opened an issue on the new py-code.org service that gathers all data on PyPI. The issue is requesting dependency data from packages and other data I track in my own PyPI dataset.
- Authored the PSF's CNA processes document.
- Updated pip's security policy to point to the PSRT webpage
- The "Supported Versions" that I initially proposed had some additional discussion.
- Updated
get-pip.pygeneration code to verify the digests of downloaded wheels and upgraded the digest method from MD5 to SHA256. I don't believe that this has ever historically been an issue, since any "MITM" attack here would have had to succeed over and over again in CI to persist and would get committed to the set of commits before deployment, something that hasn't been observed. - Discussed the release process of pip with pip maintainer Pradyun Gedam. Stay tuned for more there.
- Reviewed the proposal for the PyPI Malware Reporting API.
That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.
Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.
This work is licensed under 
