Last week the PSF announced me as the Security Developer-in-Residence and I wanted to introduce myself and detail how the role relates to CPython. I’m Seth Larson, I’ve been a contributor to the Python open source ecosystem for a few years mostly maintaining packages like urllib3 and requests. I also write about open source supply chain security, maintenance, and sustainability as these are topics very close to my heart. I have some knowledge about CPython core development but I am not currently a CPython core developer.
Regarding the role itself, I covered a bit of the “what” and “how” on my own personal blog, but the gist is to make recommendations and take actions to improve the security posture for projects like CPython, PyPI, and the broader Python ecosystem. For CPython, this will likely focus initially on the Python Security Response Team but will extend to other topics as I plan for the next year in this role. I welcome feedback on potential projects to areas to focus on, please get in touch if you have thoughts.
Additionally if there are other resources/channels that I should be a participant in that I may not be aware of, happy to have them sent my way.
That’s all I have for now, I look forward to collaborating with you all to build a more secure Python ecosystem!
It’s not clear to me what this entails. Could you offer a brief summary? Terms like “security posture” don’t mean much to me, but I assume this has something to do with securing the actual process of distributing and integrating code (i.e. detecting when people try to put malware on PyPI or make insecure pull requests for CPython), rather than the security of the code itself?
Great question @kknechtel, “software supply chain security” is a pretty wide topic. The visualization that comes to mind first for software supply chain security is the one created by SLSA which covers a lot of what you mentioned by showing different threats to the software supply chain. There’s even more beyond what is captured in the graph like individual security, access control (who can do what), vulnerability management and disclosure.
In general I’m looking to make improvements that will last beyond my time in the role, so security process improvements, project planning, advocating for adoptable security practices, reducing the burden on volunteers doing security work, providing more visibility into the Python ecosystem are all top-of-mind for me.
There’s a separate role being filled by the PSF for a PyPI Security and Safety Engineer who will work on preventing the distribution of malware on PyPI and other safety mechanisms for PyPI specifically. Look forward to more information on that on the PyPI blog.
