Security Developer in Residence Weekly Report #10

Published 2023-09-13 by Seth Larson
Reading time: 2 minutes

This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

OpenSSF Day Europe 2023

If you haven't heard, I'm presenting on my work as the Security Developer-in-Residence at OpenSSF Day Europe 2023 along with Cheuk Ting Ho. You can register to attend the conference virtually if you haven't already. I'll be in the chat answering questions throughout the conference, hope to see you there!

The past few weeks I've been finishing slides, recording my video, and collaborating with my co-presenter 🚀


It was a big week for Truststore!

This week I added support for PyPy 3.10 to Truststore since PyPy implements their SSLContext class differently than CPython this required an unfortunate hack after trying and failing to find a cleaner method that allowed isinstance(ctx, ssl.SSLContext) to work.

I updated the PR to vendor Truststore into pip, the first step towards getting pip to use Truststore by default.

PDM also released v2.9.0 recently which uses Truststore by default on Python 3.10+. This would explain the recent skyrocket of installs.

Finally, Conda appears to be evaluating using Truststore by default as well! 🥳 I spoke with Jannis Leidel to confirm that I was happy with Conda moving forward with using Truststore as a dependency.

Other items

That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.

Wow, you made it to the end!

If you're like me, you don't believe social media should be the way to get updates on the cool stuff your friends are up to. Instead, you should either follow my blog with the RSS reader of your choice or via my email newsletter for guaranteed article publication notifications.

If you really enjoyed a piece I would be grateful if you shared with a friend. If you have follow-up thoughts you can send them via email.

Thanks for reading!
— Seth