This critical role would not be possible without funding from the OpenSSF Alpha-Omega Project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!
The past few weeks have been fairly light as I've taken time off to get married! 🎉 The usual weekly cadence will resume next week.
The biggest news in the open source security space right now is the Request for Information (RFI) titled "Request for Information on Open Source Software Security: Areas of Long-Term Focus and Prioritization". This announcement means that the US Government is soliciting ideas from the broader community on where to focus and what to do to improve the security of open source software.
Back in late July, certifi published a GHSA advisory about the removal of the e-Tugra root certificate. This advisory had an associated CVE ID so should eventually make its way into the PyPA advisory database but the automation wasn't able to import it automatically. After that issue was resolved, pip was able to land a PR upgrading certifi to the latest version.
Certifi is a critical package in the Python ecosystem as it's the most common way that
are configured due to strong ties to the OpenSSL library by Python's
ssl module. A consequence of certifi's
use in pip in particular due to bundling causes a chain of events whenever there's a security issue with a root CA:
This chain of updates causes a lot of churn any time there's a removed CA in certifi and doesn't account for all the upgrades that need to happen in individual application lock files.
Truststore is a library authored by myself and David Glick which is aiming to remove the need for certifi by using system trust stores instead of hardcoded bundle which puts the onus of keeping the trust store up-to-date on the system itself (which for macOS and Windows can be automatically updated in the background!)
Truststore has recently received a large amount of passive users
thanks to PDM adopting the library
when installed via
pdm[all]. The code path is automatically used if
is installed which means we can be sure that the library is working as intended for a wide variety of configurations.
I've been monitoring PDM's issue tracker for issues related to truststore and so far there aren't any
after being installed ~2,000 times per day.
Below is a list of projects (ordered by downloads) which directly depend on certifi that also would be candidates to switch from certifi to truststore but don't have the same issue of bundling certifi that pip does:
This list was generated from the following SQL query on the pypi-data dataset.
SELECT packages.name FROM deps JOIN packages ON deps.package_name = packages.name
WHERE dep_name = 'certifi' AND extra IS NULL
ORDER BY packages.downloads DESC LIMIT 20;
I'm hopeful we can move away from certifi to reduce the amount of churn generated from using PyPI as a CA distribution channel.
This work is licensed under