Windows SBOM work and Alpha-Omega 2023 annual report

Published 2024-02-22 by Seth Larson
Reading time: 2 minutes

This critical role would not be possible without funding from the Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

Starting on SBOMs for Python Windows artifacts

Windows artifacts for CPython get built using Azure Pipelines so the generation of the final SBOM for Windows artifacts should also be added to these workflows.

Part of the workflows is to download source code for dependencies like OpenSSL, libffi, and more. These dependencies and their versions are tracked in a file named get_externals.bat in a unintentionally parseable format that the CPython SBOM tooling can extract and generate an SBOM file for. This works in a similar way to the "checked-in" source dependencies where any changes require the partial SBOM to be regenerated and acknowledged by core developers during PR review.

The plan is to find this SBOM during the Windows release build and then depending on which libraries have been pulled locally by get_externals.bat an SBOM will be generated for the Windows artifact.

After chatting with Steve Dower it seems that the Windows build happens once and then is repackaged into all the different distribution methods (python.org, Windows store, Nuget, etc) so we'll only need to generate the Windows-specific SBOM once and then reuse it for each distribution method.

I also removed regen-sbom makefile target from regen-all to avoid breaking downstream distributors.

Alpha-Omega published 2023 Annual Report

Alpha-Omega published its 2023 annual report this week and there's a ton of goodness inside, including lots of mentions of the Python Software Foundation and my own work. I contributed content to this report last year, so I'm excited to see it published.

One quote regarding my current role:

Alpha-Omega has helped fund security champion roles at the Python Software Foundation, the Eclipse Foundation, and the Rust Foundation. In all cases, we are seeing significant impact as these individuals are incubating a security culture in their respective communities.

Both Deb Nicholson, the executive director of the PSF and I were quoted in the report, take a look if you're interested in what Alpha-Omega has next in 2024.

Other items

That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.

Thanks for reading! ♡ Did you find this article helpful and want more content like it? Get notified of new posts by subscribing to the RSS feed or the email newsletter.

This work is licensed under CC BY-SA 4.0