sethmlarson

sethmlarson, 4 months ago to python

urllib3, #Python's most-used HTTP client library, is fundraising to add HTTP/2 support and ensure long-term sustainability of the project.

Retoots and shares are appreciated 🙏

https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support

sethmlarson, 7 months ago to python

There was already suspicion that LLMs generated a large batch of bogus CVEs not long ago. I suspect that CVE-2023-38898 which targeted #Python and wasn't reported to the Python Security Response Team was a part of that batch.

Now curl gets explicit proof that "security researchers" are submitting reports direct from an LLM without any double-checking. As if handling vulnerabilities wasn't hard enough for #OpenSource maintainers! 😡

https://hackerone.com/reports/2199174

sethmlarson, 11 months ago to random

I am the first @ThePSF Security Developer-in-Residence

https://sethmlarson.dev/security-developer-in-residence

sethmlarson, 11 months ago to python

#Python 3.7 is EOL today, which means that all current and future Python minor version EOLs will be 1 year apart instead of 1.5 years (thanks to PEP 602 codifying a yearly release cadence)

https://devguide.python.org/versions/

sethmlarson, 10 months ago to python

@pypi now requires #2FA for new user registrations in order to publish or create new projects. This is part of a broader effort to require 2FA for all users of #PyPI by the end of 2023.

#Python #Security #Opensource

https://blog.pypi.org/posts/2023-08-08-2fa-enforcement-for-new-users/

sethmlarson, 10 months ago to python

New article: Quirks of #Python package versioning 📦

Python package versions can get much more complicated than Semver/Calver that we're used to seeing. 🤯 Let me know if you learned something new or if you already knew all these quirks.

https://sethmlarson.dev/pep-440

sethmlarson, 6 months ago to python

The Python Software Foundation does incredible work for the #Python ecosystem, including enabling me and @miketheman's work to make all Pythonistas safer.

The PSF is running their year-end fundraiser right now! (Check out that 30% discount on PyCharm!)

https://pyfound.blogspot.com/2023/11/support-python-q4-2023.html

sethmlarson, 7 months ago to opensource

Need some extra cash and enjoy contributing to #opensource? All of urllib3's "Contributor Friendly" issues have a bounty of $100! 🤑

https://github.com/urllib3/urllib3/issues?q=is%3Aissue+is%3Aopen+label%3A%22Contributor+Friendly+%E2%99%A5%22

sethmlarson, 11 months ago to python

Everyone loves a PR that deletes code!

🟩🟥🟥🟥→🥳

But what about deleting code AND increasing your #Python package's security? 🤯

That's exactly what #PyPI Trusted Publishers are for. If your project uses #GitHub then consider adopting them today! 🚀

https://docs.pypi.org/trusted-publishers/

sethmlarson, 9 months ago to python

Releases for #Python 3.11.5, 3.10.5, 3.9.18, and 3.8.18 are now available containing #security fixes for CVE-2023-40217 (HIGH) and CVE-2023-41105 (affects only Python 3.11.x, MEDIUM).

https://discuss.python.org/t/python-3-11-5-3-10-13-3-9-18-and-3-8-18-is-now-available/32254

sethmlarson, 8 months ago to python

#Python 3.12.0 is finally here! 🥳 Let's verify the release process' supply chain integrity using #SLSA and changes to sub-components using #SBOM! 🔐

#opensource #supplychain #security

https://sethmlarson.dev/security-developer-in-residence-weekly-report-13

sethmlarson, 2 months ago to random

Sustainability is a security issue. Consumers only have demands for a burnt out maintainer and the only help that arrives has long-term malicious intentions.

https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/

sethmlarson, 4 months ago (edited 4 months ago) to opensource

I wrote some guidance on a tough topic, removing an inactive maintainer from an #opensource project:

https://sethmlarson.dev/removing-maintainers-from-open-source-projects

sethmlarson, 8 months ago to python

#Python now has reproducible source tarball builds! 📦

https://sethmlarson.dev/security-developer-in-residence-weekly-report-14

sethmlarson, 7 months ago (edited 7 months ago) to python

Did you know that @ThePSF is a CVE Numbering Authority (CNA) and manage the CVEs for #Python and #pip?

We just issued our first CVE 🎉 This CVE only affects folks installing a Mercurial repo with an attacker controlled "revision" (time to upgrade, patch, or mitigate if that's you!)

https://www.cve.org/CVERecord?id=CVE-2023-5752

sethmlarson, 11 months ago to random

The #PSF has received funding for Malware Detection on #PyPI from #CSET! This will mean getting closer to near-instant takedowns of malware on PyPI without needing to infinitely scale up manual triaging of reports all while remaining open! 🎉

https://discuss.python.org/t/pypi-malware-detection-project/28222

sethmlarson, 6 months ago to python

New article: Querying every file in every release on @pypi 📦🔍

Surveying an entire open source ecosystem is tough due to the scale and resources required. Using a new dataset and DuckDB anyone can get answers about ecosystem-scale questions! 🚀

#python #oss #opensource #security #supplychain

https://sethmlarson.dev/security-developer-in-residence-weekly-report-18

sethmlarson, 8 months ago to random

Happy Friday everyone! @europython just recently uploaded talk recordings, here are 3 related to security that I recommend.

If I had to pick /just one/ for you to watch it would be:

"Don't Panic! A Developer's Guide to Security" by Sebastiaan Zeeff 🚀

https://www.youtube.com/watch?v=nA4Nbdx3AAo

sethmlarson, 8 months ago to python

CPython vulnerabilities are now published to the @openssf Open Source Vulnerability Database! 🥳

You can use the OSV API to access machine-consumable info about security vulnerabilities affecting #Python 🛡️

https://sethmlarson.dev/security-developer-in-residence-weekly-report-11

sethmlarson, 6 months ago to python

🚨 PSA: #PyPI is requiring #2FA in 2024 to publish new releases. If you're a developer of #Python packages then you need to enable 2FA in addition to adopting either Trusted Publishers or API tokens before publishing new releases.

Data from today shows less than 10% of PyPI's accounts have 2FA enabled: https://p.datadoghq.com/sb/7dc8b3250-389f47d638b967dbb8f7edfd4c46acb1

sethmlarson, 9 months ago to python

urllib3 recently reached 10 billion total downloads!! 🎉🔟🥳

https://pepy.tech/projects/urllib3?versions=%2A

We crossed 10 billion on August 24th 2023. It's been incredible seeing the growth of the #Python community as a maintainer of this project 😊

sethmlarson, 4 months ago to random

urllib3 in your browser urllib3 in your browser urllib3 in your browser 🤯

https://github.com/urllib3/urllib3/releases/tag/2.2.0

sethmlarson, 2 months ago (edited 2 months ago) to python

xz/liblzma backdoor (CVE-2024-3094) is trending.

https://openwall.com/lists/oss-security/2024/03/29/4

#Python bundles xz v5.2.5 and earlier which don't contain the backdoored binary files. #PyPI is also not affected due to using Debian Bookworm, not Sid.

Querying PyPI packages and Python Dockerhub images doesn't show any xz 5.6.x binaries.

From what I've gathered from others, the backdoor appears to target sshd (SSH server) on glibc-based distros, so if you're using Ubuntu or Fedora check that you aren't affected.

sethmlarson, 2 months ago to random

💜 https://github.com/tukaani-project/xz/commit/db4dd74a344580e0b81436598d9741a3454245b0

sethmlarson, 1 month ago to random

Rearranging the jobs and dependencies to reduce risk in the CPython release process. Reduces the source artifacts build from over 800 dependencies to ~170.

Read more: https://sethmlarson.dev/security-developer-in-residence-weekly-report-35