The current status having CPython SBOM artifacts with releases is:
- Created a draft SBOM document from existing implementation
and shared with OpenSSF Security Tooling and SBOM Everywhere working groups
- Received feedback from Adolfo Garcia Veytia and Ritesh Noronha.
- Meets NTIA Minimum Elements of an SBOM, achieved 9.6 / 10 on SBOM Benchmark
- python.org is ready to accept SPDX SBOM files alongside release artifacts. These will be offered alongside other release artifacts. User-facing documentation for python.org is in-progress.
- Ready for CPython 3.13.0 (stable release in October 2024), backporting to the 3.12 release stream to be available earlier. 3.11 and earlier would take much more effort to implement.
- Documentation for maintaining the SBOM documents has been written for CPython core developers.
The first CPython release containing any SBOM information (3.13.0a3) also received feedback from downstream distributors, mainly Fedora. Issues that were found during their repackaging of CPython were addressed.
Remaining work includes getting a release manager to approve the SBOM generation during CPython releases and generating SBOMs for "built" artifacts for Windows and macOS.
This proposal was authored by William Woodruff, but I was a reviewer in the pre-PEP discussion and during the initial PEP review. This work provides a standard mechanism for PyPI to host digital attestations (such as publish provenance) for artifacts. This mechanism will be of interest for future work that I'm interested in tackling like build provenance of Python packages.
CPython publishes PKG files for the macOS platform which use the XAR archive format. The diffoscope tool was indispensable for making CPython's source artifacts reproducible, but didn't have support for XAR/PKG files. As a part of having reproducible builds of macOS I contributed support for the XAR/PKG format upstream.
XAR/PKG support was released in version 254 of diffoscope.
- Spent time planning first major projects for 2024:
- SBOM for CPython (continued from the tail end of 2023)
- Python Packaging Ecosystem Best Practices Guide
- Third-Party Audit
- Reviewed CVE Numbering Authority Rules draft available only to CNAs.
- Opportunity to reduce non-vulnerabilities being reported.
- Perspective of small open source vendor CNA, things like time and resource commitment are important.
- Will need to update OpenSSF guide for becoming a CNA if any relevant changes (likely to be minor)
- Published blog posts
- Wrote for the Python Software Foundation 2023 Annal Impact report.
- Coordinated and reviewed multiple reports to the Python Security Response Team email address.