FLOSS Project Planets

 

2023 was an exciting year of growth for the Python Software Foundation! We’ve captured some of the key numbers, details, and information in our latest Annual Impact Report. Some highlights of what you’ll find in the report include:

• A letter from our Executive Director, Deb Nicholson
• Notes from Our PyCon US Chair, Marietta Wijaya, and PSF Board of Director Chair, Dawn Wages
• Updates on the achievements and activities of a couple of our Developers-in-Residence, Łukasz Langa and Seth Larson—and announcing more members of the DiR team!
• An overview of what our PyPI Safety & Security Engineer, Mike Fiedler, has accomplished- as well as some eye-watering PyPI stats!
• A celebration and summary of PyCon US 2023, the event’s 20th anniversary, and the theme for 2023’s report cover
• A highlight of our Fiscal Sponsorees (we brought on 7 new organizations this year!)
• Sponsors who generously supported our work and the Python ecosystem
• An overview of PSF Financials, including a consolidated financial statement and grants data

We hope you check out the report, share it with your Python friends, and let us know what you think! You can comment here, find us on social media (Mastodon, X, LinkedIn), or share your thoughts on our forum.

Step behind the curtain of DrupalCon Portland's keynote lineup and immerse yourself in a world of innovation and expertise. Join us as we unveil exclusive insights from industry leaders, including Cristina Chumillas, Janez Urevc, Ted Bowman, Fran Garcia-Linares, Jürgen Haas, and Mateu Aguiló Bosch, offering a tantalizing glimpse into the transformative sessions awaiting attendees

Congratulations to the inaugural members of the new Project Update Working Group.

This is a new working group tasked with helping maintainers prepare contributed projects for the next major release of Drupal core.

The inaugural members are as follows:

1. Norah Medlin (tekNorah) (provisional)

2. Vladimir Roudakov (vladimiraus)

3. Sven Decabooter (svendecabooter)

4. Naveen Valecha (naveenvalecha)

5. Kristen Pol (Kristen Pol)

6. Matt Glaman (mglaman)

7. Darren Oh (Darren Oh)

8. Mark Casias (markie)

9. Kim Pepper (kim.pepper)

10. Björn Brala (bbrala)

11. Lucas Hedding (heddn)

12. Pedro Cambra (pcambra)

13. Allan Chappell (generalredneck)

14. Jakob Perry (japerry)

15. Timo Huisman (Timo Huisman) (provisional)

The group will work in the coming weeks to establish processes and changes required to Drupal.org to facilitate the role.

If you wish to get in touch and say congratulations, you can find them in the #project-update-working-group channel on slack.

Mike Goulding

Senior Drupal Engineer

Mike has been part of the Four Kitchens crew since 2018, where he works as a senior engineer and tech lead for a variety of Drupal and WordPress projects.

January 1, 1970

The Columbia SPS homepage

For higher ed institutions, the need to manage updates for multiple websites is an ongoing struggle. Each site should reflect the distinct identity of a given school or department. But as each website’s CMS, frontend design, and backend architecture diverge, any organization will need to grapple with the necessary upkeep.

Columbia School of Professional Studies (SPS) faced this situation with three separate websites. One site presents summer courses, another targets high school students with pre-college offerings, and the third is the traditional SPS website. Each domain serves a different audience and is managed by a small team.

As each website continued to diverge, users found it difficult to recognize them as part of the same school. Worse yet, the three websites were on two different versions of Drupal and had grown difficult to maintain, as one platform was reaching its end of life.

SPS came to Four Kitchens seeking an upstream solution to provide relief. In this preview of an upcoming presentation at DrupalCon Portland 2024’s Higher Education Summit, the Config Split module has a newer feature that cleared the way for an efficient resolution.

How an upstream platform streamlines diverging websites

Columbia SPS needed a solution that would resolve multiple nagging issues. In much the same way that a design system streamlines operations by creating a centralized content resource, an upstream platform enables multiple websites to share a single codebase.

Along with bringing the organization’s Drupal instances into alignment and reducing technical debt, the approach offered three core advantages:

• Increased efficiency: Enable the university to maintain multiple websites with less effort. When you update code in one place, it impacts every site in the organization.
• Greater consistency: Align user experience and simplify internal planning for site updates.
• Streamlined development: Shared code, security updates, and component access. No matter what site Columbia’s team works on, they know what processes to expect.

To make sure each site could still offer a distinct experience, Columbia didn’t want to share content or merge each website into one. They primarily wanted to make each easier to manage for their team.

Offer shared (but distinct) experiences through Config Split

Creating an upstream platform for Columbia SPS hinged on the Configuration Split Drupal module. Put simply, this module allows you to apply a different configuration to a website to suit specific scenarios. You can use Config Split to make sure you only see error logs on your test environment (not your live site).

The Columbia SPS Summer Session website

However, Columbia SPS still wanted its three websites to offer distinct features. To enable this flexibility, we used a newer feature in the 2.x versions of the module called Config Patch. This feature allows Columbia SPS to apply part of a website configuration to each website.

For example, each university website may share the same article structure. But one website can support a distinctive CTA component at the bottom. Columbia SPS now has that flexibility — and it doesn’t cause chaos from a website maintenance standpoint.

With Config Patch, Columbia can use a single code repository to maintain three sites that have their own distinct details within the same baseline features. We also provided SPS with a base demo site that keeps Config Split from allowing too much flexibility. Adding rules to settings.php provides a home for the logic for each site to make sure they follow the proper configuration.

Plus, the demo site functions as a mold if the organization needs to add a new website. Along with providing support for the organization’s current needs, the upstream platform provides support for the future.

Avoiding pitfalls of upstream platforms in higher ed

Implementing an upstream solution for Columbia SPS enabled the university to run its separate sites more efficiently and provide a more consistent experience. Just as importantly, the institution escaped the shadow of a Drupal 7 migration, which stands as a major benefit for the organization.

However, adopting an upstream platform carries its own complications. For all the advantages Columbia SPS gained, the organization also needs to be mindful of a few potential pitfalls of an upstream platform:

1. Bringing distinct site features back into alignment is difficult: If Columbia SPS wanted to roll back a configuration that was previously split, the sites can be difficult to manage locally.
2. Shifting priorities for Drupal updates: Platform updates must be made against the demo site first to maintain alignment between each web property.
3. Increased work for developing multiple features: An upstream platform reduces complexity, but working in a single repository presents its own challenges. Creating distinct features for individual websites requires a little more work on the part of your development team.

Upstream platforms offer efficiency and consistency for higher ed

Navigating the specific needs for multiple websites is a persistent challenge for higher ed institutions. On the one hand, delivering a consistent experience drawn from a single codebase is easier to manage, especially for a small, centralized IT team. On the other hand, individual departments and schools have specific design and functionality needs. They should be able to offer website experiences distinct from the look and feel of your core website.

With an upstream platform, you gain the functionality to serve both needs. The solution introduces new complexity, but with an experienced development partner, a multisite platform allows your team to work more efficiently. Better still, if your organization needs to maintain multiple platforms as your websites have diverged, you gain key benefits from addressing needed upgrades.

Would this kind of solution help your organization? Let us know how we can help.

Details

If you’re going to DrupalCon Portland 2024, please make sure to attend the Higher Education Summit to hear directly from Mike and the team at Columbia SPS.

Where: Oregon Convention Center (777 NE Martin Luther King Jr. Blvd, Portland, OR 97232), Room C123-124

When: Thursday, May 9, 2024, 9:00am – 4:00pm

For tickets and session details, click here.

The post Aligning diverging websites with an upstream platform through Drupal appeared first on Four Kitchens.

This tutorial looks at how to build server-side UI components in Django.

Did you forget the -r when cloning a git repo with submodules? The command you’re looking for is git submodule update --init

June 2024 marks 10 incredible years of Django Girls magic! 🥳✨

We couldn't have reached this milestone without YOU! Whether you attended a workshop, volunteered, financially supported us, or cheered us on, you've been vital. From the bottom of our hearts, thank you for being part of the Django Girls community. 💕

To celebrate, we're reflecting on our impact and want to hear from YOU! Share your stories in a short survey courtesy of JetBrains and PyCharm. Your feedback will help us improve and reach more people.

The Theme for our 10th anniversary is “The Django Girls Glow Up!” ✨💃

We want to celebrate your positive transformations over the years!

In the survey, please share a photo 📸 or video and tell us how Django Girls has impacted your life. As a thank you, you could win a $100 Amazon gift card or a 1-year JetBrains All Products Pack subscription. Plus, everyone gets a three-month PyCharm Professional trial!

Ready to join the celebration? Click the link to complete the survey and let your Django Girl glow shine! ✨

Take the Survey Now: https://surveys.jetbrains.com/s3/dn-django-girls-survey-2024

When you’ve finished the survey, head over to our socials, and let’s continue celebrating there. Use the #DjangoGirlsGlowUp hashtag to share your photos and stories, and let's spread the love! 🚀💖

Find us on our socials:

• https://twitter.com/djangogirls
• https://fosstodon.org/@djangogirls
• https://www.linkedin.com/company/django-girls

Thank you for being part of our journey. Here's to another 10 years of glowing up together! 🌟💫

Python's variables are not buckets that contain objects; they're pointers. Assignment statements don't copy: they point a variable to a value (and multiple variables can "point" to the same value).

Table of contents

1. Changing two lists at once...?
2. Variables are separate from objects
3. Assignment statements don't copy
4. Explicitly copying a list
5. Variables are like pointers, not buckets

Changing two lists at once...?

Here we have a variable a that points to a list:

>>> a = [2, 1, 3, 4]

Let's make a new variable b and assign it to a:

>>> a = [2, 1, 3, 4] >>> b = a

If we append a new item to b, what will its length be?

>>> b.append(7) >>> len(b)

Initially, the b list had four items, so now it should have five items. And it does:

>>> len(b) 5

How many items do you think a has? What's your guess?

>>> len(a)

Is it five, the same as b? Or is it still four, as it was before?

The a list also has five items:

>>> len(a) 5

What's going on here?

Well, the variables a and b, both point to the same list.

If we look up the unique ID for the object that each of these variables points to, we'll see that they both point to the same object:

>>> id(a) 140534104117312 >>> id(b) 140534104117312

This is possible because variables in Python are not buckets, but pointers.

Variables are separate from objects

Let's say we've made three …

Read the full article: https://www.pythonmorsels.com/variables-are-pointers/

In this episode, we invite the founder of Buttondown, a Python-based Software as a Service (SaaS) application for creating and managing newsletters.

Mike Driscoll, the host of the show, chats with Justin about the following topics:

• Why he created a SaaS with Python
• Favorite Python packages or modules
• Python web frameworks
• Entrepreneurship
• AI and programming
• and more!

The post The Python Show Podcast Ep 39 – Buttondown – A Python SaaS with Justin Duke appeared first on Mouse Vs Python.

In this quiz, you’ll test your understanding of creating calendars in Python using the calendar module.

By working through this quiz, you’ll revisit the fundamental functions and methods provided by the calendar module.

[ Improve Your Python With 🐍 Python Tricks 💌 – Get a short & sweet Python Trick delivered to your inbox every couple of days. >> Click here to learn more and see examples ]

This blog post is the first one in a series where we are going to have a look at one exciting feature coming as a Technology Preview in 6.7.0: the ability to use QML and Qt Quick in your otherwise non-Qt Android apps as an Android View! We've also created an Android Studio plugin to help you keep the workflow simple. In this first post, we'll have an overview of the feature, what it entails, why we are adding it, and where you could benefit from it. In the following posts, we will show how to use it along with some code examples and take a closer look at the tooling, testing, and some possible use cases, such as 3D. 

The E-Banners for #Akademy2024 are now available!

Use them to promote Akademy on your websites, blogs, social media headers, or any other platform.

There are three different sizes to choose from. If you decide to use the banners, it would be great if you could link them to the Akademy website to help attract more visitors.

Let's spread the word about Akademy and make it a success!

(These banners were created by Andy B.)

Focus

This month I didn't have any particular focus. I just worked on issues in my info bubble.

Changes

• SWH web interface: ensure deliberate forge type selection
• Debian BTS usertags: fixed Python 2.13, reproducible builds, time_t, sysadmin, porter, archive admin usertags
• Debian wiki pages: ContinuousIntegration/GUI, Hardware/Wanted, PamLastlog2, Ports/riscv64

Issues

• Conffile removal needed in thermald
• Broken symlink in libntlm
• Features in diffoscope, systemd-cron (1 2 3 4)
• Warnings in litecli, defcon, isenkram-cli, onboard

Administration

• Debian IRC: updated #debian-dpl access list for new DPL
• Debian wiki: unblock IP addresses, approve accounts

Communication

• Initiate discussion about Debian & libre AI

Sponsors

The SWH work was sponsored. All other work was done on a volunteer basis.

Do you find yourself or your team building internal apps frequently for your company? Are you familiar with the term "forms over data"? They are super empowering for your org but they can be pretty repetitive and you might find yourself spending more time than you'd like working on them rather than core products and services. I invited Jimmy Chan from Dropbase to tell us about their service who's tagline is "Build internal web apps with just Python." It's a cool service and a fun conversation.<br/> <br/> <strong>Episode sponsors</strong><br/> <br/> <a href='https://talkpython.fm/mailtrap'>Mailtrap</a><br> <a href='https://talkpython.fm/training'>Talk Python Courses</a><br/> <br/> <strong>Links from the show</strong><br/> <br/> <div><b>Build internal web apps with just Python.</b>: <a href="https://www.dropbase.io" target="_blank" rel="noopener">dropbase.io</a><br/> <b>Dropbase on Github</b>: <a href="https://github.com/DropbaseHQ/dropbase" target="_blank" rel="noopener">github.com</a><br/> <b>Dropbase @ LinkedIn</b>: <a href="https://www.linkedin.com/company/dropbase" target="_blank" rel="noopener">linkedin.com</a><br/> <b>Dropbase on Twitter</b>: <a href="https://twitter.com/dropbasehq" target="_blank" rel="noopener">twitter.com</a><br/> <b>Jimmy Chan</b>: <a href="https://www.linkedin.com/in/jimmyechan/" target="_blank" rel="noopener">linkedin.com</a><br/> <b>Jimmy on Twitter</b>: <a href="https://twitter.com/jimmyechan" target="_blank" rel="noopener">twitter.com</a><br/> <b>Dropbase Docs</b>: <a href="https://docs.dropbase.io" target="_blank" rel="noopener">docs.dropbase.io</a><br/> <b>Dropbase</b>: <a href="https://dropbase.io" target="_blank" rel="noopener">dropbase.io</a><br/> <b>Watch this episode on YouTube</b>: <a href="https://www.youtube.com/watch?v=0VULU3g8wqU" target="_blank" rel="noopener">youtube.com</a><br/> <b>Episode transcripts</b>: <a href="https://talkpython.fm/episodes/transcript/460/dropbase-build-internal-tools-with-python" target="_blank" rel="noopener">talkpython.fm</a><br/> <br/> <b>--- Stay in touch with us ---</b><br/> <b>Subscribe to us on YouTube</b>: <a href="https://talkpython.fm/youtube" target="_blank" rel="noopener">youtube.com</a><br/> <b>Follow Talk Python on Mastodon</b>: <a href="https://fosstodon.org/web/@talkpython" target="_blank" rel="noopener"><i class="fa-brands fa-mastodon"></i>talkpython</a><br/> <b>Follow Michael on Mastodon</b>: <a href="https://fosstodon.org/web/@mkennedy" target="_blank" rel="noopener"><i class="fa-brands fa-mastodon"></i>mkennedy</a><br/></div>

Navigation module makes use of Layout Builder to construct the navigation toolbar.

There have been some questions about this decision in Slack. This post discusses the background.

In #3397058: Convert navigation sections to blocks and use the menu system the navigation module added a plugin system and config entity for 'navigation blocks'. These were very nearly identical to block plugins and block config entities. The primary difference was the config entities did not depend on a theme like block config entities do.

In #3411099: Create an administration UI for managing Navigation Blocks a UI was added for editing and managing navigation blocks. This duplicated further code from the block module.

#3438895: Add the new Navigation to core as an Experimental module was the issue to add the navigation module to core. This point was the first time that many core committers had looked at the code. As part of a Framework Manager review of the issue, the amount of duplication between the block and navigation modules was raised.

Until this point the navigation module lived in contrib and did not have a chance to change code in core. But now that it was a merge request against core, changing core was a possibility. As a result the Framework Managers made an attempt to modify the theme-assumption in the block system to support the navigation use-case. This resulted in a less than ideal scenario where Block::getTheme() could return null or an empty string in some scenarios. Whilst it was possible to fix all calls in core, the impact this could have on contrib and custom code felt like it would be problematic.

At this point the idea of using Layout Builder's section storage as a data-model for the blocks in navigation was floated. Layout Builder's section storage provides a data-model that allows placing and configuring block plugins but without block config entities. There is no dependency between these block placements and a theme. Layout Builder also includes an API for limiting which blocks can be used where, which was also a requirement for the navigation module. Not all block plugins would work inside the navigation toolbar.

The Framework Managers worked on the core merge request to assess the feasibility of this change. The net result was the removal of 4,000 lines of code but with largely the same functionality. As a result, the version of the navigation module that was committed to Drupal 10.3.0 and 11.x depends on the Layout Builder module.

Sites who don't use Layout Builder for building entity displays can continue to use their preferred approach. Having Layout Builder enabled doesn't change how entities are rendered unless you enable it on a per entity-bundle-display basis. Prior to 10.3 there were performance issues from the number of block plugins derived by Layout Builder. But from 10.3 sites can now control and prevent this.

The Navigation initiative has created a list of follow-up issues for the usability of Layout Builder when configuring the navigation toolbar. Some of these overlap with existing usability issues for Layout Builder. In addition the recently announced Experience builder initiative will invest in improving Layout Builder usability. Finally, the Dashboard initiative is also using Layout Builder for handling block placements. When we standardise on a solution and work together to improve it, it will lead to improvement across the board.

In this episode, we invite the founder of Buttondown, a Python-based Software as a Service (SaaS) application for creating and managing newsletters.

Mike Driscoll, the host of the show, chats with Justin about the following topics:

• Why he created a SaaS with Python

• Favorite Python packages or modules

• Python web frameworks

• Entrepreneurship

• AI and programming

• and more!

Wing 10.0.4 improves performance of the Python 3.12+ debugger, fixes debugging the Python Shell with Python 3.12, and makes several other improvements.

See the change log for details.

Download Wing 10 Now: Wing Pro | Wing Personal | Wing 101 | Compare Products

What's New in Wing 10

AI Assisted Development

Wing Pro 10 takes advantage of recent advances in the capabilities of generative AI to provide powerful AI assisted development, including AI code suggestion, AI driven code refactoring, description-driven development, and AI chat. You can ask Wing to use AI to (1) implement missing code at the current input position, (2) refactor, enhance, or extend existing code by describing the changes that you want to make, (3) write new code from a description of its functionality and design, or (4) chat in order to work through understanding and making changes to code.

Examples of requests you can make include:

"Add a docstring to this method" "Create unit tests for class SearchEngine" "Add a phone number field to the Person class" "Clean up this code" "Convert this into a Python generator" "Create an RPC server that exposes all the public methods in class BuildingManager" "Change this method to wait asynchronously for data and return the result with a callback" "Rewrite this threaded code to instead run asynchronously"

Yes, really!

Your role changes to one of directing an intelligent assistant capable of completing a wide range of programming tasks in relatively short periods of time. Instead of typing out code by hand every step of the way, you are essentially directing someone else to work through the details of manageable steps in the software development process.

Read More

Support for Python 3.12

Wing 10 adds support for Python 3.12, including (1) faster debugging with PEP 669 low impact monitoring API, (2) PEP 695 parameterized classes, functions and methods, (3) PEP 695 type statements, and (4) PEP 701 style f-strings.

Poetry Package Management

Wing Pro 10 adds support for Poetry package management in the New Project dialog and the Packages tool in the Tools menu. Poetry is an easy-to-use cross-platform dependency and package manager for Python, similar to pipenv.

Ruff Code Warnings & Reformatting

Wing Pro 10 adds support for Ruff as an external code checker in the Code Warnings tool, accessed from the Tools menu. Ruff can also be used as a code reformatter in the Source > Reformatting menu group. Ruff is an incredibly fast Python code checker that can replace or supplement flake8, pylint, pep8, and mypy.

Try Wing 10 Now!

Wing 10 is a ground-breaking new release in Wingware's Python IDE product line. Find out how Wing 10 can turbocharge your Python development by trying it today.

Downloads: Wing Pro | Wing Personal | Wing 101 | Compare Products

See Upgrading for details on upgrading from Wing 9 and earlier, and Migrating from Older Versions for a list of compatibility notes.

Hi,

Keeping my promise for monthly bits, here's a quick snapshot of my first ten days as DPL.

Special thanks to Jonathan for an insightful introduction that left less room for questions. His introduction covered my first tasks like expense approval and CTTE member appointments thoroughly. Although I made a visible oversight by forgetting to exclude Simon McVittie from the list, whose term has ended , I'm committed to learning from this mistake. In future I'll prioritize thorough proofreading to ensure accuracy.

Part of my "work" was learning what channels I need to subscribe and adjust my .procmailrc and .muttrc took some time.

Recently I had my first press interview. I had to answer a couple of prepared questions for Business IT News. It seems journalists are always on the lookout for unique angles. When asked if humility is a new trait for DPLs, my response would be a resounding "No." In my experience, humility is a common quality among DPLs I've encountered, including Jonathan.

One of my top priorities is reaching out to all our dedicated and appointed teams, including those managing critical infrastructure. I've begun with the CTTE, Salsa Admins and Debian Snapshot. Everything appears to be in order with the CTTE team. I'm waiting for response from Salsa and Snapshot, which is fine given the recent contact.

I was pointed out to the fact that lintian is in an unfortunate state as Axel Beckert confirmed on the lintian maintainers list. It turns out that bug #1069745 of magics-python should not have been undetected for a long time if lintian bug #677078 would have been fixed. It seems obvious to me that lintian needs more work to fulfill its role as reliably policy checker to ensure our high level of packaging quality.

In any case thanks a lot to Axel who is doing his best but it seems urgent to me to find some more person-power for this task. Any volunteer to lend some helping hand in the lintian maintainers team?

On 2024-04-30 I gave my first talk "Bits from greenhorn DPL" online at MiniDebConf Brasil in Belo Horizonte. The Q&A afterwards stired some flavours of the question: "What can Debian Brasil do better?" My answer was always in a way: Given your great activity in now organising the fifth MiniDebConf you are doing pretty well and I have no additional hints for the moment.

Kind regards Andreas.

Or FOFAFOSS. Rolls right off your tongue.

Like in many families, there's always a bit of.. turmoil and drama in FOSS. Something breaks (either on purpose or by accident), people get frustrated.. The usual. It is kind of to be expected when it comes to very social projects, like let's say, Linux desktop environments.

People have their own visions and ways to see things. They often clash. That's normal. It's quite human. I do like to think that Linux desktop environments especially are like siblings that have rivalries.

But we got to remember that it's not "us vs them" here. We don't have the resources to fight each other. We need to work together even with our incompatible visions sometimes. Otherwise things will keep fracturing and get even worse.. And nobody gains from that. Well, except the proprietary platforms. :P

In the end we all want to make good software for everyone to use and enjoy. Let's help each other to do that as well as we can.

Nothing wrong with "Oh you made that? Well watch this!" type of friendly rivalry however, it keeps us doing what we do best. :)

I just wanted to write this down as somekind of reminder that we got to remember to work together if we want to succeed. Even when frustrated.

And no I am not any high and mighty person to really say this, I have had my own share of frustrations and quips. This post serves also as a reminder for myself.

So let's try to work together as well as we can.

Isolating risk in the CPython release process About • Blog • Newsletter • Links Isolating risk in the CPython release process

Published 2024-05-02 by Seth Larson
Reading time: minutes

This critical role would not be possible without funding from the Alpha-Omega project. Massive thank-you to Alpha-Omega for investing in the security of the Python ecosystem!

The first stage of the CPython release process produces source and docs artifacts. In terms of "supply chain integrity", the source artifacts are the most important artifact produced by this process. These tarballs are what propagates down into containers, pyenv, and operating system distributions, so reducing the risk that these artifacts are modified in-flight is critical.

A few weeks ago I published that CPythons' release process for source and docs artifacts was moved from developers machines onto GitHub Actions, which provides an isolated build environment.

This already reduces risk of artifacts being accidentally or maliciously modified during the release process. The layout of the build and release process before used a build script which built the software from source, built the docs, and then ran tests all in the same isolated job. This was totally fine on a developers' machine where there isn't any isolation possible between different stages.

Build DependenciesBuild Dependenci...Build SourceBuild SourceSource ArtifactsSource Artifa...Docs ArtifactsDocs ArtifactsSource
CodeSource...Docs DependenciesDocs DependenciesBuild DependenciesBuild Dependenci...Build SourceBuild SourceSource ArtifactsSource Artifa...Docs ArtifactsDocs ArtifactsSource
CodeSource...Docs DependenciesDocs DependenciesBuild DocsBuild DocsTestingTestingBuild DocsBuild DocsTestingTestingSource ArtifactsSource Artifa...Text is not SVG - cannot display
Before and after splitting up build stages

With GitHub Actions we can isolate each stage from the others and remove the need to install all dependencies for all jobs into the same stage. This drastically reduces the number of dependencies, each representing a small amount of risk, for the stages that are critical for supply chain security of CPython (specifically the building of source artifacts).

Above you can see on the left the previous process which pulls all dependencies into the same job (represented as a gray box) and the right being the new process having split up the builds and testing and the source and docs builds.

After doing this split the "Build Source" task only needs ~170 dependencies instead of over 800 dependencies (mostly for documentation LaTeX and PDFs) and all of those dependencies either come with the operating system and thus can't be reduced further or are pinned in a lock file.

The testing stage still has access to the source artifacts, but only after they've been uploaded to GitHub Action Artifacts and aren't able to modify them.

I plan to write a separate in-depth article about dependencies, pinning, and related topics, stay tuned for that.

SOSS Community Day 2024 recordings

The recordings for my talk and the OpenSSF tabletop session have been published to YouTube:

Embrace the Differences: Securing open source software ecosystems where they are

In the talk I discuss the technical and also social aspects of why it's sometimes difficult to adopt security changes into an open source ecosystem. Ecosystem-agnostic work (think memory safety, provenance, reproducible builds, vulnerabilities) tends to operate at a much higher level than the individual ecosystems where the work ends up being applied.

OpenSSF Tabletop Session

The tabletop session had many contributors representing all the different aspects of discovering, debugging, disclosing, fixing, and patching a zero-day vulnerability in an open source component that's affecting production systems.

Tabletop Session moderated by Dana Wang

Mentoring for Google Summer of Code

Google Summer of Code 2024 recently published its program and among the projects and contributors accepted was CPython's project for adopting the Hardened Compiler Options Guide for C/C++. I'm mentoring the contributor through the process of contributing to CPython and hopefully being successful in adopting hardened compiler options.

Other items

• Windows artifacts on python.org will have Software Bill-of-Materials documents after the next CPython release. Final step of uploading the documents to python.org has been merged.
• SBOM generation has been added to the Windows build scripts for core developers using Windows.
• Working on PyCon US 2024 talk slides with Michael Winser.
• Co-authoring the "Trusted Publishing for All Package Repositories" guide for the OpenSSF Securing Software Repos WG.
• Submitted a few bugfixes and released Truststore v0.9.0, upgraded pip's vendored copy.
• Created the April report for Alpha-Omega

That's all for this week! 👋 If you're interested in more you can read last week's report.

Thanks for reading! ♡ Did you find this article helpful and want more content like it? Get notified of new posts by subscribing to the RSS feed or the email newsletter.

This work is licensed under CC BY-SA 4.0