Merge pull request #1 from sethmlarson/patch-1

Author: miketheman

alpha/engagements/2026/Python Software Foundation/2026-03.md

@@ -71,3 +71,72 @@ sharing malware report takedown data and discussing remediation approaches.
 - Fixed a [crates.io rendering issue](https://github.com/rust-lang/crates.io/pull/13173) for long text on security pages
 - Examined PyPI's fork of `camo`, proposed [upstream fix](https://github.com/cactus/go-camo/pull/86)
 - Contributed to PSF Newsletter updates for Q1
+
+## Security Developer-in-Residence (Seth Larson)
+
+### Conferences: PyCon US, EuroPython
+
+The security talk track Trailblazing Python Security
+is finalized and the schedule has been published:
+
+https://us.pycon.org/2026/tracks/security/
+
+Juanita Gomez and I have created social media posts
+for each speaker and a blog post for the announcement.
+
+Michael Winser and I will be presenting at PyCon US
+as a Sponsored Talk for Alpha-Omega. I'll also be
+giving a PSF Security Update on the main stage on the
+last day of the main conference and participating in sprints.
+
+My talk submission to EuroPython 2026 titled
+"Learning from the not-so-secret Python security cabal" was accepted.
+EuroPython runs July 13-19th in Kraków, Poland. The
+Python Language Summit, the annual gathering of core
+developers will be taking place at EuroPython. I plan
+to submit a talk to the summit once the CFP is open.
+
+### Dependency Cooldowns, LiteLLM
+
+Asked Andrew Nesbitt to write a break-down of dependency cooldown features
+across other packaging ecosystems. Andrew wrote a [blog post](https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html)
+which references NPM, uv, pip, and Dependabot. This conversation
+inspired [adopting dependency cooldowns in git-pkgs](https://github.com/git-pkgs/proxy/pull/17).
+
+LiteLLM supply-chain attack (and follow-up attacks) occurred in March,
+Mike and I responded to these attacks, cleaning up malware, talking
+to the maintainers, and posting about ways to mitigate attacks like
+this. Dependency Cooldowns came up, again, in these converstaions.
+
+Our likely short-term strategy for solving this is through
+globally set relative dependency cooldowns for Python packages.
+UV already supports this, pip has added support via `--uploaded-prior-to`
+for absolute values but relative values [are coming in v26.1](https://github.com/pypa/pip/pull/13625) with
+reviews from Seth. Seth blogged about a hack to have [relative dependency
+cooldowns using pip with crontab](https://sethmlarson.dev/pip-relative-dependency-cooling-with-crontab).
+
+Restarted conversation to [limit "open-ended releases" on PyPI](https://discuss.python.org/t/restricting-open-ended-releases-on-pypi/43566/34).
+Mike provided data for which packages have taken advantage of this "feature"in the past 5 years.
+
+### Python Security Response Team
+
+Met with the Steering Council to discuss nomination process.
+Added Adam Turner and Emma Smith to the PSRT.
+
+Created a [pull request](https://github.com/python/devguide/pull/1769) which proposes auto-assigning coordinators
+to idle issues after a certain number of days. The PR also
+includes flow-charts and check lists to better help coordinators
+make decisions throughout the process.
+
+Working on a new tool which generates a report of the
+status of every GHSA ticket across multiple repositories.
+Will be using this tool to track how PSRT process improvements
+are proceeding.
+
+### Other items
+
+* Ruff added a new rule (RUF071) for `os.path.commonprefix()`
+  which is deprecated in Python 3.15.
+* Created a [GitHub team/CODEOWNERs for OSS-Fuzz maintainers](https://github.com/python/cpython/pull/145786)
+* Authored security engineering section of the PSF quarterly newsletter.
+* Attended Alpha-Omega OSCSE meeting.