Security Developer-in-Residence Weekly Report #27

Published 2024-01-31 by Seth Larson
Reading time: 1 minute

This critical role would not be possible without funding from the OpenSSF Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

Shorter update this week in terms of words on the page, but lots of work is contained within them!

CPython SBOMs

I'm getting closer to having the end-to-end flow complete for Software Bills-of-Materials documents for specifically CPython source code artifacts. Once that's complete I'll begin branching out to support other artifacts like the Windows and macOS binary installers.

Reviewing new draft CVE Numbering Authority Rules

Reviewed the new draft CVE Numbering Authority rules. This document is only available for CNAs right now. I focused on representing small open source vendor CNAs (like the Python Software Foundation, curl, etc). Would like to add prevention of "junk" CVEs into the rules, so they can be dealt with more directly. Will need to update the OpenSSF CVE Numbering Authority for OSS guide once new rules are published.

Other items

That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.

Thanks for reading! ♡ Did you find this article helpful and want more content like it? Get notified of new posts by subscribing to the RSS feed or the email newsletter.

This work is licensed under CC BY-SA 4.0