This critical role would not be possible without funding from the OpenSSF Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

Memory-safety is clearly a top priority for software security, making up 70% of vulnerabilities in popular software like Chrome and Windows. The US Government RFI on open source security had a focus area on memory-safety to which the Python Software Foundation provided a response, for which I was the primary author on this topic.

The US government organization CISA (Cybersecurity and Infrastructure Security Agency) issued new recommendations this week regarding securing software products through memory safety. You can read the full information sheet here.

From the recommendation I have the following quote, emphasis mine:

“Recommended memory safe programming languages mentioned in the CSI include C#, Go, Java, Python, Rust, and Swift.”

This is awesome news for Python users!🥳

More support will be needed to migrate Python's extensive packaging ecosystem from memory-unsafe languages to memory-safe languages. I've made recommendations on how best the US government can aid in that effort in the PSF's RFI response. My recommendations included:

• Provide resources (financial or time) to aid in discovery, improving tooling (like PyO3), and the actual migration of projects.
• Prioritizing projects for migration based on security-sensitivity and criticality.
• Learning from the experiences of projects which have migrated from C to Rust like cryptography.
• Hardening for projects which can't migrate to memory-safe languages for a variety of reasons.

You can see the current usage of memory-unsafe languages in Python projects in a previous article.

Other items

• PyPI Safety and Security Engineer Mike Fielder published an announcement about 2FA enforcement of PyPI starting January 1st, 2024. All users of PyPI will be required to use 2FA.
• Initial pull request adding Software Bill-of-Materials for CPython dependencies has been merged. I've created a list of sub-issues on different projects for where the work will be progressing next.
• Łukasz will dry-run the automation for the CPython release process for CPython 3.13.0a3 (according to PEP 719 will be in about a week).
• Created the CVE record and advisory for CVE-2023-6507. This vulnerability affects only CPython 3.12.0.
• Submitted my year-end report to OpenSSF Alpha-Omega. Subscribe to the Alpha-Omega blog to be notified when the year-end report is published.
• Submitted to the PyCon US CFP.

That's all for this week! 👋 If you're interested in more you can read last week's report.

Don't let social media algorithms decide what you want to see.

Get notified of new publications by subscribing to the RSS feed or the email newsletter: