generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 53
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #469 from sethmlarson/psf-2025-01
Add engagement report for PSF 2025-01
- Loading branch information
Showing
1 changed file
with
95 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| # Update 2025-01 | ||
|
|
||
| ## PyPI Safety & Security Engineer (Mike Fiedler) | ||
|
|
||
| Mike focused on enhancing security measures and responding to incidents. | ||
| While he spent some efforts on routine maintenance tasks, | ||
| his primary focus was toward malware abuse response and prevention. | ||
|
|
||
| ### Malware | ||
|
|
||
| In January, Mike addressed 68 malware reports, | ||
| with some cases requiring more complex analysis and intervention. | ||
| One such analysis resulted in an advisory | ||
| ([PYSEC-2025-2](https://osv.dev/vulnerability/PYSEC-2025-2)). | ||
| The [Project Quarantine](https://blog.pypi.org/posts/2024-12-30-quarantine/) | ||
| feature proved to be highly effective in containing potential threats, | ||
| allowing Mike to take action off-hours, protecting users and the ecosystem. | ||
| Mike has begun exploring ways to automate this process further to | ||
| streamline operations and minimize malware time-on-index, | ||
| leveraging external security reporters. | ||
|
|
||
| Mike improved the PyPI Admin UI, providing more context to the operator, | ||
| and improving response times, especially on mobile browsers. | ||
|
|
||
| The next foray into abuse prevention, | ||
| Mike collected prior efforts on typo-squatting prevention, | ||
| from both PyPI and other ecosystems. More to come on this front. | ||
|
|
||
| ### Security | ||
|
|
||
| Mike spent some time learning more about the advanced rules in | ||
| [Fastly NGWAF](https://www.fastly.com/products/web-application-api-protection), | ||
| to improve detection of malicious traffic and enhance the security of PyPI's infrastructure. | ||
| One such rule has been added to TestPyPI to test if the changes have the desired affect. | ||
|
|
||
| ## Security Developer-in-Residence (Seth Larson) | ||
|
|
||
| ### Cyber Resilience Act discussion at FOSDEM | ||
|
|
||
| Both Mike Fiedler and Seth Larson attended the discussion and workshop occurring with EC, ENISA and CISA | ||
| on the Cyber Resilience Act (CRA) for open source stewards at FOSDEM. | ||
|
|
||
| The discussion was very fruitful, we're looking forward to more discussions with EC | ||
| and ENISA on how the CRA will affect stewards and independent maintainers. | ||
|
|
||
| ### PEP 770: Software Bill-of-Materials (SBOMs) for Python packages | ||
|
|
||
| Work on the [new standard addressing the phantom dependency problem](https://discuss.python.org/t/pep-770-improving-measurability-of-python-packages-with-software-bill-of-materials/76308) | ||
| for Python packages continues. Thanks to William Woodruff from Trail of Bits for | ||
| reviewing along with many other volunteer reviewers. | ||
|
|
||
| Reviewers weighed in on the proposal and the technical specification has | ||
| been finalized, we're at the stage now where final comments are being solicited | ||
| and the standard is adding non-technical aspects, such as how to teach all the | ||
| potential users affected by the standard (SBOM tool authors, project maintainers, | ||
| PyPI, build backends, etc) about what they need to know and how they will find | ||
| out. | ||
|
|
||
| The hope is that by the end of February the standard will be provisionally | ||
| accepted and that one or more implementations will begin adopting the standard. | ||
| Seth will be contributing to build backends to speed this process up so that | ||
| PEP can be completely accepted ASAP. Luckily, PEP 639 has blazed the trail | ||
| for PEP 770 as much of the mechanisms for build backends are the same. | ||
|
|
||
| Now that all feedback has been addressed the plan is to ask for pronouncement | ||
| and begin initial implementations in build tools starting next week. | ||
|
|
||
| Socket.dev [published a blog post about the project](https://socket.dev/blog/new-python-packaging-proposal-aims-to-solve-phantom-dependency-problem-with-sboms). | ||
|
|
||
| ### NSF initial grant proposal submitted | ||
|
|
||
| In early January, Seth Larson and Loren Crary authored and submitted to the | ||
| National Scientific Foundation (NSF) a grant proposal to the program | ||
| "[Safety, Security, and Privacy of Open Source Ecosystems](https://new.nsf.gov/funding/opportunities/safe-ose-safety-security-privacy-open-source-ecosystems)" | ||
| (Safe-OSE). | ||
|
|
||
| ## Other items | ||
|
|
||
| ### Mike Fiedler | ||
|
|
||
| - Tested upgrading PyPI to Python 3.13 | ||
| - Supported adding "Archived" status to projects (guest blog post incoming) | ||
| - Added metrics to aid with diagnosing client-side failed uploads | ||
| - Tested out a new search index, while not used, took some of the learnings to improve current search operations | ||
| - Aided in determining the root cause of missing metadata in BigQuery | ||
| - Supported PSF staff in data collection for reports | ||
| - Various maintenance tasks and code reviews | ||
|
|
||
| ### Seth Larson | ||
|
|
||
| * Authored the blog post "[How to visualize SBOM documents](https://sethmlarson.dev/quickly-visualizing-sbom-with-cli)" | ||
| * Finished security section of the PSF 2024 Annual Report. | ||
| * Processed many Python Security Response Team reports. Created fixes for an issue regarding IPv6 addresses in the URL parser. | ||
| * [Reviewed and responded to PEP 751 draft](https://discuss.python.org/t/pep-751-one-last-time/77293/5) (Python package lock files). | ||
| * Submitted talk proposals to VulnCon, Open Source Summit NA, and SOSS Community Day NA CFPs. |