Tuesday, August 29, 2023

The Python Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA)

When a vulnerability is disclosed in software you're depending on, the last thing you want is for the remediation process to be confusing or ad-hoc. Towards the goal of a more secure and safe Python ecosystem, the Python Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA).

Being authorized as a CNA is one milestone in the Python Software Foundation's strategy to improve the vulnerability response processes of critical projects in the Python ecosystem. The Python Software Foundation CNA scope covers Python and pip, two projects which are fundamental to the rest of Python ecosystem.

By becoming a CNA, the PSF will be providing the following benefits to in-scope projects:

  • Paid staffing for CNA operations rather than requiring volunteer time.
  • Quicker allocations of CVE IDs after a vulnerability is reported.
  • Involvement of each projects' security response teams during the reporting of vulnerabilities.
  • Richer published advisories and CVE Records including descriptions, metadata, and remediation information.
  • Consistent disclosures and publishing locations.

CNA operations will be staffed primarily by the recently hired Security Developer-in-Residence Seth Michael Larson, Ee Durbin, and Chloe Gerhardson.

The PSF wants to help other Open Source organizations and will be sharing lessons learned and developing guidance on becoming a CNA and day-to-day operations.

To be alerted of newly published vulnerabilities in Python or pip, subscribe to the security-announce@python.org mailing list for security advisories. There is also a new advisory database published to GitHub using the machine-readable Open Source Vulnerability (OSV) format.

If you'd like to report a security vulnerability to Python or pip, the vulnerability disclosure policy is available on python.org.

Friday, August 04, 2023

Announcing Our New PyPI Safety & Security Engineer!

We announced our intention back in May to fill this role with generous funding by Amazon Web Services (AWS), and after a thorough search, we are delighted to announce Mike Fiedler is joining the team! He joins the PSF for the next year as our first ever PyPI Safety & Security Engineer. Mike is already a dedicated member of the Python packaging community – he has been a Python user for some 15 years, maintains and contributes to open source, and became a PyPI Maintainer in 2022.

This critical role would not be possible without funding from AWS: "We are happy to be able to invest in the sustainable and secure development of Python and PyPI, and we look forward to Mike's contributions." - Tom Callaway, AWS.

Mike begins his work with the Python Packaging Index (PyPI) this week. He says, “Very excited to join the team in improving the safety and security of PyPI for end users, package publishers, maintainers, and PyPI moderators and administrators - that’s a huge audience!” We hope that everyone in the community will join us in welcoming Mike and supporting his critical work for Python packaging!

A photo of Mike Fiedler smiling to the camera.

We are thrilled that for the first time we are able to bring on an engineer who will be dedicated full-time to PyPI. PyPI is a massive project that has become key digital infrastructure serving millions of users. Up until now, PyPI has been almost entirely volunteer-run, depending on a tiny team with only one fraction of one person’s paid time. We’re expecting all PyPI users to have a tangibly improved experience from Mike’s work over the next year. Some of the outcomes we are targeting include increased support for package maintainers including multi-maintainer projects, improvements to reporting infrastructure for malicious projects, as well as a reduced response time for malware reports and account recovery requests. Mike will work closely with our also-recently-announced Security Developer in Residence, Seth Larson.

This role is funded by a substantial investment from AWS, inaugural Security Sponsor for PyPI. AWS has been one of the top sponsors of the Python Software Foundation for the last five years, and our long-term partnership with AWS has also included important in-kind donations of cloud computing infrastructure and services to support PyPI. 

The Python Software Foundation (PSF) is the non-profit organization behind Python and PyPI. Our mission is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers. The PSF supports the Python community using corporate sponsorships, grants, and donations. Are you interested in sponsoring or donating to the PSF so it can continue supporting Python and its community? Check out our sponsorship program, donate directly here, or contact our team!

Wednesday, August 02, 2023

Announcing Python Software Foundation Fellow Members for Q1 2023! 🎉

The PSF is pleased to announce its first batch of PSF Fellows for 2023! Let us welcome the new PSF Fellows for Q1! The following people continue to do amazing things for the Python community:

Abhishek Mishra 
Barney Gale 
Eric Traut
Gina Häußge
Grishma Jena
Samuel Colvin
Saptak Sengupta
Soon Seng Goh

Thank you for your continued contributions. We have added you to our Fellow roster online.

The above members help support the Python ecosystem by being phenomenal leaders, sustaining the growth of the Python scientific community, maintaining virtual Python communities, maintaining Python libraries, creating educational material, organizing Python events and conferences, starting Python communities in local regions, and overall being great mentors in our community. Each of them continues to help make Python more accessible around the world. To learn more about the new Fellow members, check out their links above.

Let's continue recognizing Pythonistas all over the world for their impact on our community. The criteria for Fellow members is available online: https://www.python.org/psf/fellows/. If you would like to nominate someone to be a PSF Fellow, please send a description of their Python accomplishments and their email address to psf-fellow at python.org. Quarter 2 nominations are currently in review. We are accepting nominations for quarter 3 through August 20, 2023.

Are you a PSF Fellow and want to help the Work Group review nominations? Contact us at psf-fellow at python.org.