This critical role would not be possible without funding from the OpenSSF Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!
Shorter update this week in terms of words on the page, but lots of work
is contained within them!
I'm getting closer to having the end-to-end flow complete for Software Bills-of-Materials documents
for specifically CPython source code artifacts. Once that's complete I'll begin branching out
to support other artifacts like the Windows and macOS binary installers.
- Landed the final pull request
for complete traversal of the pip wheel automatically when generating the SBOM document.
- The above PR also fixed multiple issues reported by Karolina Surma of Fedora
like making regenerating the SBOM documents while offline not raise an error
and handling situations where pip is "debundled" from the ensurepip module.
- Backported the SBOM tooling to 3.12 branch
to be included in future 3.12 releases.
Determined that backporting beyond 3.12 would take substantially more effort
due to setuptools' inclusion in ensurepip and its complicated vendoring situation.
- Working on the user documentation for python.org/downloads page for CPython's SBOMs
- Getting legal help regarding licensing ID questions for the CPython SBOM
Reviewing new draft CVE Numbering Authority Rules
Reviewed the new draft CVE Numbering Authority rules. This document is only available for CNAs right now.
I focused on representing small open source vendor CNAs (like the Python Software Foundation, curl, etc).
Would like to add prevention of "junk" CVEs into the rules, so they can be dealt with more directly.
Will need to update the OpenSSF CVE Numbering Authority for OSS guide
once new rules are published.
That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.
Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.