New article: Python and Sigstore
Did you know that CPython artifacts are signed with Sigstore? I’ve introduced a PEP which deprecates PGP signatures for CPython artifacts. Find out about the...
PyCon Taiwan 2024 Keynote slides and links
“Bytes, Pipes, and People” I delivered the PyCon Taiwan 2024 keynote this past weekend. The topic was about software security in decentralized and diverse...
New article: “YouTube without YouTube Shorts“
Are you like me and enjoy long-form creators on YouTube, but find YouTube Shorts to be a drain on your time? Disable YouTube Watch History to stay away from...
Thoughts on “Lockdown Mode”: the feature that stops BLASTPASS
I've been using “Lockdown Mode” on my iPhone for almost a year following the BLASTPASS / libwebp vulnerability. Here are my thoughts on the feature: Lockdown...
Automating Python Software Foundation vulnerability infrastructure
The Python Software Foundation is a CVE Numbering Authority which manages vulnerability data for CPython and pip. This article describes our vulnerability...
Bringing supply chain security (and stickers!) to PyCon US 2024
Next week is PyCon US 2024 in Pittsburgh and I’ll be there! Where I’ll be during PyCon US 2024 (and maybe where you want to be too?)New and exclusive “secure...
Backup Game Boy ROMs and saves on Ubuntu
Are you a retro gaming enthusiast and Ubuntu user like me? Here's a guide on using GB Operator and Playback to backup Game Boy ROMs and saves. Read more:...
Isolating risk in the CPython release process
Today’s report for the Security Developer-in-Residence role includes: Modifying the CPython release process in GitHub Actions to isolate the source artifacts...
CPython release automation, SBOMs for Windows artifacts coming soon!
Published the 33rd weekly report for the Security Developer-in-Residence role: CPython source and docs builds are now automated. More improvements...
Security Developer-in-Residence Weekly Report #32
I'm back from vacation and have a few events and conferences to report on: Summary of the CISA Open Source Security SummitHardening CPython against memory...
Regex character “$” doesn't mean “end-of-string”
When I first discovered this behavior all I could think was that "I can't be the only one who doesn't know this". Here's a short article about some platform-...
New article: Windows SBOM progress and conference plans for 2024
This is the final weekly report of February 2024 (and likely until April due to travel plans). This report covers a short update on Windows artifact SBOMs...
New article: Windows SBOM work and Alpha-Omega 2023 annual report
Getting started with SBOMs for Python Windows artifactsAlpha-Omega has published its 2023 annual report with quotes from Deb Nicholson and IProposal for...
New article: Websites without servers or networking
What would a local web without HTTP, servers, or networking look like? This article is a theory-crafting session based on a feature that has been removed...
New article: Challenges while building SBOM infrastructure for CPython
Today I go over the challenges I encountered so far when building the SBOM infrastructure for CPython, both technical and social. This was presented to the...
Software Bill-of-Materials documents are now available for CPython
CPython now has official Software Bill-of-Materials (SBOM) documents starting in 3.12.2! 🥳 You can read the announcement on the PSF blog which has info about...
Security Developer-in-Residence weekly report #26: Releases on PyPI are never "done"
This is the 26th weekly report for the Security Developer-in-Residence role: Discussion of open-ended PyPI releases and PEP 740 (digital attestations on...
New article: Defending against the PyTorch supply chain attack PoC
This is the 25th weekly report from the Security Developer-in-Residence role. This week I discuss how to defend from the proof-of-concept attack on PyTorch...
New article: urllib3 is fundraising for HTTP/2 support!
2023 was a transformative year for urllib3, headlined by the first stable release of v2.0 after multiple years of development. This release sets the stage...
Starting 2024 off strong for securing Python (SBOM, provenance, macOS build repro, software IDs, oh my!)
2024 has only just begun and there's already so much to talk about. Here's a summary of topics in the first weekly report for 2024 from the Security...