We are thrilled to announce that the Sovereign Tech Agency has committed to a €86,000 investment in work to be performed by the Python Software Foundation to improve the security of CPython and the Python Package Index (PyPI). The Sovereign Tech Agency is a public organization in Germany that focuses on increasing the security and resilience of critical open source software that forms the foundation of modern digital technology.
With the Sovereign Tech Fund, they invest globally in open software components that underpin economic competitiveness and the ability to innovate. Improving the security, stability, and reusability of open software components like CPython and PyPI is a win for everyone. This project consists of two components, which we are carrying out in parallel: one focused on CPython and one focused on PyPI.
The CPython component, led by PSF Security Developer in Residence Seth Larson, concerns archive-handling vulnerabilities in CPython’s standard library. Following multiple CVEs affecting the tarfile and zipfile modules, systematic fuzz-testing is required to uncover potential regressions or untested cases in extraction filtering. These modules are used by most Python packaging and installation tools, and therefore form a critical part of the software supply chain. The work commissioned through the Sovereign Tech Fund’s investment will develop test cases and seed corpora for these modules, integrate fuzz-testing through the OSS-Fuzz infrastructure, and validate filtering protections against potential bypasses.
The PyPI component, led by PSF PyPI Safety and Security Engineer Mike Fiedler with support from Director of Infrastructure Ee Durbin, focuses on PyPI account integrity and recovery. Current recovery procedures rely solely on email and two-factor authentication, creating support burdens and limiting automated verification. The Sovereign Tech Fund’s investment commissions work that introduces a mechanism for associating PyPI accounts with verified third-party identities through OAuth 2.0 / OIDC flows, allowing account recovery through trusted external services. These associations will improve both user experience and platform reliability while preserving user privacy and autonomy.
We appreciate the Sovereign Tech Fund for supporting these critical improvements that will make CPython and PyPI more secure for millions of users. If you’d like to learn more about the advances our Developers in Residence are driving or investing in these roles and work, check out our Developers in Residence page and reach out out to sponsors@python.org