This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!
It's hard to believe, but I've been in the Security Developer-in-Residence position for 3 months now! 🥳 This is the first quarterly report for Q3 of 2023 on the many accomplishments so far and future projects that I aim to tackle in the role. You can read the full report on the Python Software Foundation blog.
In the report I identified three flagship projects that I'm looking to work on this upcoming quarter:
- Software Bill-of-Materials for CPython
- Tracking bundled dependencies in Python packages
- CPython and pip release process improvements
You should read the full report especially the section under "Future Projects" if you're interested in any of these topics! A lot of this week has been taken up by writing this report, so there won't be much else to report here this week.
Other items
- The CPython core developer sprint happened last week, I've been following along with all the social media posts. Very exciting stuff about the C API. I'll be meeting with the CPython Developer-in-Residence Łukasz to talk about everything that happened at the sprints and what's relevant to my work.
- pip v23.3 released with the following relevant changes:
- Truststore was vendored which means you no longer need to bootstrap Truststore in order to use pip's optional Truststore support.
- Upgraded the vendored certifi to not be vulnerable to GHSA-xqr8-7jwr-rhp7.
- Secure Transport support has been removed from pip due to pip no longer supporting an OpenSSL version that required it (1.0.1 and earlier).
That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.
Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.
This work is licensed under 
