SPEC 8 — Supply-Chain Security

tupui · May 1, 2024, 5:38pm

I would like to propose a reflection on best practices that projects should follow to secure their projects from a supply-chain perspective.

A few ideas of things to consider to help Quickstart the discussion:

OpenSSF has a scorecard system and I think it would be good to follow their recommendations. They also provide scorecards with interesting metrics.
Trusted Publishers: GitHub to PyPi
SLSA, secure artifacts. It’s easy to do with GH actions, e.g. with Flask
Build on top of SPEC 6 (keys to the castle)
else …

stefanv · May 1, 2024, 5:42pm

A very relevant problem, and one that we have, historically, not paid enough attention to

pllim · May 1, 2024, 6:51pm

Re: Trusted Publishers – Last I checked, it does not work if you use publish workflow from template. Has that changed?

tupui · May 1, 2024, 7:01pm

Can you clarify what you mean? I use Trusted publishers on a few projects without issues. Are you saying it’s difficult to automate the setup of new projects due to the extra steps required? i.e. not just a token, but you need to create an environment on GH and share that to PyPi.

pllim · May 1, 2024, 7:10pm

@tupui , I was referring to Supported PyPI trusted publishers · Issue #136 · OpenAstronomy/github-actions-workflows · GitHub and Trusted publishing: Support for GitHub reusable workflows · Issue #11096 · pypi/warehouse · GitHub

juanis2112 · May 1, 2024, 7:17pm

I’m doing an analysis on lots of projects based on the scorecards system as part of my PhD research. Happy to be pat of this discussions and help working on this spec.

betatim · May 3, 2024, 2:15pm

An additional thing to add to the list are more “social” things than technical:

work to disconnect platform (like GitHub) privileges from “status in the project”
- e.g. reduce the amount of privileged accounts and document people’s status via something that isn’t “commit rights” or “admin” status on GitHub
“never be in a hurry” - work on establishing routines that mean you are never in a hurry and that it is normal to push back against people who do try to create a sense of urgency
- e.g. the story around xz involved some amount of creating a sense of urgency and immediacy for the maintainers. If it was normal to push back on such tactics I think they are less effective.

There are probably more social aspects, but I can’t think of more.

tupui · June 5, 2024, 7:05pm

And we have a PR Thanks a lot everyone for your help on this!

Let’s move discussions there:

github.com/scientific-python/specs

feat: Add SPEC 8 - Securing the Release Process

scientific-python:main ← matthewfeickert:feat/add-spec-08-draft

opened 07:02PM - 05 Jun 24 UTC

matthewfeickert

+227 -0

This SPEC draft was written at the 2024 Scientific Python Developer Summit (http…s://github.com/scientific-python/summit-2024/issues/9). This SPEC outlines the process of adopting security tools and standards to securely publish release artifacts that have already been built (securely building release artifacts will be addressed in a future SPEC). There is a plan to also add a publishing topical guide to the [Scientific Python Developer guides](https://learn.scientific-python.org/development/guides/) to provide more context, nuance, and details following the adoption of this SPEC. We're also very happy to have had guidance from @sethmlarson, the [PSF Security Developer in Residence](https://pyfound.blogspot.com/2023/06/announcing-our-new-security-developer.html) on this SPEC. :rocket: Seth had multiple excellent suggestions that aren't in the draft (as of now) given that this SPEC is meant to be short and focus on the biggest impacts, but all of his recommendations should be present in the planned topical guide. Comments and questions are very much welcomed.