Sovereign Tech Agency and PSF Security Partnership

We are thrilled to announce that the Sovereign Tech Agency has committed to a €86,000 investment in work to be performed by the Python Software Foundation to improve the security of CPython and the Python Package Index (PyPI). The Sovereign Tech Agency is a public organization in Germany that focuses on increasing the security and resilience of critical open source software that forms the foundation of modern digital technology.

With the Sovereign Tech Fund, they invest globally in open software components that underpin economic competitiveness and the ability to innovate. Improving the security, stability, and reusability of open software components like CPython and PyPI is a win for everyone. This  project consists of two components, which we are carrying out in parallel: one focused on CPython and one focused on PyPI. 

The CPython component, led by PSF Security Developer in Residence Seth Larson, concerns archive-handling vulnerabilities in CPython’s standard library. Following multiple CVEs affecting the tarfile and zipfile modules, systematic fuzz-testing is required to uncover potential regressions or untested cases in extraction filtering. These modules are used by most Python packaging and installation tools, and therefore form a critical part of the software supply chain. The work commissioned through the Sovereign Tech Fund’s investment will develop test cases and seed corpora for these modules, integrate fuzz-testing through the OSS-Fuzz infrastructure, and validate filtering protections against potential bypasses.

The PyPI component, led by PSF PyPI Safety and Security Engineer Mike Fiedler with support from Director of Infrastructure Ee Durbin, focuses on PyPI account integrity and recovery. Current recovery procedures rely solely on email and two-factor authentication, creating support burdens and limiting automated verification. The Sovereign Tech Fund’s investment commissions work that introduces a mechanism for associating PyPI accounts with verified third-party identities through OAuth 2.0 / OIDC flows, allowing account recovery through trusted external services. These associations will improve both user experience and platform reliability while preserving user privacy and autonomy.

We appreciate the Sovereign Tech Fund for supporting these critical improvements that will make CPython and PyPI more secure for millions of users. If you’d like to learn more about the advances our Developers in Residence are driving or investing in these roles and work, check out our Developers in Residence page and reach out out to sponsors@python.org

PSF Code of Conduct Working Group Shares First Transparency Report

The PSF’s Code of Conduct Working Group is a group of volunteers whose purpose is to foster a diverse and inclusive Python community by enforcing the PSF Code of Conduct, along with providing guidance and recommendations to the Python community on codes of conduct, that supports the PSF mission support and facilitate the growth of a diverse and international community of Python programmers.

The working group has recently committed to publishing annual transparency reports and we are pleased to share the first report with you today, for the 2024 calendar year. The initial transparency report took some time to produce, but we've improved our recording keeping practices to make future reports easier to prepare.

The Working Group spent time formalizing our record keeping this year, and going forward we plan to publish our transparency reports in the first quarter of each year. Each year’s report will be added to the same place in the PSF's Code of Conduct documentation so that community members can easily access them. If you have thoughts or feedback on how to make these reports more useful, we welcome you to send us an email at conduct-wg@python.org.