XZ Utils cyberattack vs. CherryPy

27 views
Skip to first unread message

Florian Berger

unread,
Apr 22, 2024, 8:07:34 AMApr 22
to cherrypy-users
The Open Source Security (OpenSSF) and OpenJS Foundations have issued ad alert for social
engineering Takeovers of Open Source Projects:
https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

In this, they list suspicious patterns in social engineering takeovers.

I have two questions:

1) Are there, or have there been any known past or ongoing actions of malicious intent towards CherryPy?

2) How prepared is the CherryPy project in the face of the sophistication of the attack that had
been carried out against the XZ Utils project?

I can draw some conclusions from the CherryPy repository activity, and I learned about the Tidelift
programme that apparently funds some security aspects, but I'd still be interested in an overview.
Any feedback greatly appreciated.


Kind regards

Florian Berger

Sviatoslav Sydorenko (@webknjaz)

unread,
Apr 26, 2024, 1:10:02 PMApr 26
to cherrypy-users
Hey Florian, sorry, I forgot to respond earlier.

понеділок, 22 квітня 2024 р. о 14:07:34 UTC+2 Florian Berger пише:
The Open Source Security (OpenSSF) and OpenJS Foundations have issued ad alert for social
engineering Takeovers of Open Source Projects:
https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/

In this, they list suspicious patterns in social engineering takeovers.

I have two questions:

1) Are there, or have there been any known past or ongoing actions of malicious intent towards CherryPy?

No, there haven't been any.

2) How prepared is the CherryPy project in the face of the sophistication of the attack that had
been carried out against the XZ Utils project?

We're attentive to what we're merging. And I don't think we've invited anybody new to maintain since
I got my commit bit many years ago. With the XZ thing becoming public, we're definitely more aware
of the threat. But I don't think there's anything more to do in the area.
 
I can draw some conclusions from the CherryPy repository activity, and I learned about the Tidelift
programme that apparently funds some security aspects, but I'd still be interested in an overview.
Any feedback greatly appreciated.

Yeah, Tidelift partners with OpenSSF, I think. They give us some tasks to implement, including security-
related ones. They even invited us to participate in some research in the past but I ended up not joining.

Additionally, both active maintainers have a lot of other projects in their care, which results on scaling
new maintenance approaches (including security) across many repositories. We may not be very active
in the repository as the framework is pretty much feature-complete but we're still watching over everything
with care and try adopt best practices as we streamline them across many other projects.

-S
Reply all
Reply to author
Forward
0 new messages