"The CPython component, led by PSF Security Developer in Residence Seth Larson, concerns archive-handling vulnerabilities in CPython's standard library. Following multiple CVEs affecting the tarfile and zipfile modules, systematic fuzz-testing is required to uncover potential regressions or untested cases in extraction filtering. These modules are used by most Python packaging and installation tools, and therefore form a critical part of the software supply chain."
"The PyPI component, led by PSF PyPI Safety and Security Engineer Mike Fiedler with support from Director of Infrastructure Ee Durbin, focuses on PyPI account integrity and recovery. Current recovery procedures rely solely on email and two-factor authentication, creating support burdens and limiting automated verification. The Sovereign Tech Fund's investment commissions work that introduces a mechanism for associating PyPI accounts with verified third-party identities through OAuth 2.0 / OIDC flows, allowing account recovery through trusted external services."
The Sovereign Tech Fund invests globally in open software components to strengthen economic competitiveness and innovation. The project has parallel CPython and PyPI components. The CPython work targets archive-handling vulnerabilities in the standard library's tarfile and zipfile modules by developing test cases, seed corpora, and integrating systematic fuzz-testing via OSS-Fuzz, plus validating extraction filtering protections. The PyPI work adds account integrity and recovery improvements by enabling associations between PyPI accounts and verified third-party identities via OAuth 2.0/OIDC, reducing reliance on email and two-factor methods and easing support burdens. Both efforts aim to improve security, stability, reusability, and user experience for millions.
Read at Python Software Foundation Blog
Unable to calculate read time
Collection
[
|
...
]