Python

Josh and Kurt talk to Seth Larson from the Python Software Foundation about security the Python ecosystem. Seth is an employee of the PSF and is doing some amazing work. Seth is showing what can be accomplished when we pay open source developers to do some of the tasks a volunteer might consider boring, but is super important work. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_451_Python_security_with_Seth_Larson.mp3 Show Notes Seth Larson XKCD PGP Signature Seth’s Blog Python and Sigstore Deprecating PGP - PEP 761 Python SBOMs

Josh and Kurt talk about the 2024 Tidelift maintainer report. The report is pretty big and covers a ton of ground. We focus in a few of the statistics that should worry anyone who uses open source. We’ve known for a while developers are struggling, and the numbers back that up. This one feels like the old “we’ve tried nothing and we’re all out of ideas”. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_447_The_Tidelift_2024_open_source_maintainer_report.mp3 Show Notes THE 2024 TIDELIFT STATE OF THE OPEN SOURCE MAINTAINER REPORT Canadian passport Changelog Interviews #433 Pandas CVE

Josh and Kurt talk about a blog post that explains how C and C++ compilers prioritize performance over correctness. This is the class story of security vs usability. Security is never the primary goal. If a security requirement doesn’t also enable other business goals it will fail. We also touch on the news of a Rust package containing binary files. It doesn’t really have anything to do with security, it’s all about convenience. ...

Josh and Kurt talk about a blog post about pip and virtual environments. This eventually turns into a larger conversation around packaging tools and how we see incremental changes over time. The package ecosystems were what we needed a few years ago, but our needs have changed. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_371_-_pip_install_is_the_tool_we_deserve_but_not_the_tool_we_need.mp3 Show Notes One Does Not Simply ‘pip install’ Dag Wieers RPM Webfinger GitHub repo

Josh and Kurt talk about a newly rediscovered old python vulnerability. It raises a lot of questions about what was OK in 2007 vs what’s OK in 2022. The issue is very complicated and has a wild story surrounding it. There is no reason to not fix this in 2022. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_344_Python_tarfile_2022_is_nothing_like_2007.mp3 Show Notes CVE-2007-4559 Red Hat Bug Register story Response from upstream Upstream patch ZippSlip Current upstream bug CSURF

Josh and Kurt talk about the release of OpenSSF Security Scorecards version 3. This is a great project that will probably make a huge difference. Most of the things the scorecards are measuring are no brainier activities. We go through the list of metrics being measured. There are only a few that we don’t think are fantastic. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_293_Scoring_OpenSSF_Security_Scoring.mp3 Show Notes 4 of spades OpenSSF Chris Montgomery audio explanation Scorecard 3.0.0 Scoring criteria Python Skeleton