This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!
PSF Advisory Database
In preparation for becoming a CNA, the PSF now has a public advisory database on GitHub which hosts advisories in the Open Source Vulnerability format (OSV). This database will host historical advisories in addition to new advisories and CVEs for the PSF CNA for projects in scope like Python and pip.
I shared this newly published database with the OpenSSF Vulnerability Disclosures WG and received lots of feedback and tips for managing an OSV advisory database. Madison Oliver of GitHub Security gave advice on being a CNA and guidance for hosting first-party and third-party advisories as a CNA. Also received helpful feedback from Oliver Chang and Andrew Pollock. Thanks everyone!
Being a participant in the distributed vulnerability database for OSV requires choosing an ID prefix for advisories.
I chose PSF as the prefix and the prefix was accepted into the OSV schema specification.
After the prefix was selected I configured automation in the database to automatically assign IDs for the PSF prefix.
I spent time importing existing advisories for Python from Victor Stinner's manually curated list of vulnerability fixes. Some of these fixes don't include a CVE ID so need to be disambiguated based on other information like a bugs.python.org issue ID.
PSF CNA
The PSF CNA registration process has been making progress! 🚀
Towards publishing the materials to the OpenSSF Vulnerability Disclosures WG I've applied to join the CVE Outreach and Communications WG to review the draft guidance materials. I'm also drafting a blog post for once the PSF is announced as a CNA.
I've been getting questions answered from the CNA Program Coordinator specifically around operating a CNA as an open source foundation or project. These answers will be completely written up in the guidance.
If you have a 1-2 hours of time and would like to experience the training regiment I've given PSF staff to prepare for the CNA onboarding call you can take a look at this Gist.
Other items
- Manually added the recent certifi advisory to the PyPA Advisory Database
- Created back-filled Sigstore bundles from existing verification materials to be verified by CPython release managers.
- Ran into an integration issue with Sigstore Python client v2.0.0 release candidate not being able to successfully verify old bundles.
- Provided an OpenSSF Alpha-Omega engagement update for the month of July.
That's all for this week! 👋 If you're interested in more you can read next week's report or last week's report.
Thanks for reading! ♡ Did you find this article helpful and want more content like it?
Get notified of new posts by subscribing to the RSS feed or the email newsletter.
This work is licensed under 
