This critical role would not be possible without funding from the Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!
Last week I attended SOSS Community Day and OSS Summit. It was great to catch up with friends and to meet new people for the first time at a cross-ecosystem open source event.
I gave a talk "Embrace the Differences: Securing software ecosystems where they are" which funnily enough had a complementary talk about the ways software repositories can collaborate for security.
My talk focused on how security standards and tools typically want to operate across software ecosystems and differences in standards, tools, maintainers, and user expectations between ecosystems can make that difficult.
You can download my slides and the recording will be available eventually on YouTube.
OpenSSF Tabletop Session
I also participated in the first OpenSSF Tabletop Session organized and hosted by Dana Wang. I played the role of "open source maintainer" and represented how an exploited zero-day vulnerability would appear from the perspective of an open source project.
I emphasized the realities of vulnerability disclosure to open source projects like under-resourcing, most maintainers being volunteers, and stress caused during times of crisis.
Cast of the tabletop session!
So many people!
I also met up with many folks doing open source security, maintenance, and funding:- Met with many folks from the Alpha-Omega cohort. I'm looking forward to having more cross-functional discussions about new approaches to securing open source.
- Met with Michael Winser from Alpha-Omega to work on our PyCon US 2024 talk State of Supply Chain Security for Python.
- Met with my friend William Woodruff from Trail of Bits and discussed the system TLS proposal and build provenance for Homebrew (and what could be learned for Python).
- Met with Samuel Giddins and Martin Emde from the Ruby ecosystem to discuss shared challenges for introducing security into an ecosystem.
- Met Lauren Hanford from Tidelift to discuss supporting and funding maintainers.
- Met Mirko from Sovereign Tech Fund and discuss their program for hiring open source maintainers.
- Attended the talk by Kara Sowles from GitHub on the state of open source funding and learned about "downturn-resilient" funding.
- Many folks who asked me about security initiatives happening in the Python ecosystem.
Other items
- Participating in the pre-PEP discussion for reviving PEP 543 (system TLS).
- Created a proposal for allowing any release manager to create a CPython release.
- Created a pull request for uploading Windows SBOMs to python.org/downloads.
- Merging and backporting the upgrade to libexpat 2.6.2
- Chose which proposal(s) I would be willing to mentor for Google Summer of Code 2024 (thanks to the folks who submitted!)
- Triaged reports and fixes for the PSRT.
- I wasn't involved, but PyPI has added Trusted Publisher support for ActiveState, GitLab, and Google Cloud Build.
Note that I've been summoned for jury duty starting next week, so expect fewer updates over the next two weeks depending on how that goes.
That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.
Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.
This work is licensed under 
