Earlier this week the White Home revealed a report recommending the usage of memory-safe programming languages to get rid of a whole class of vulnerabilities affecting software program. The report quotes claims from giant software program producers like Google and Microsoft which estimate that 70% of vulnerabilities affecting software program are as a consequence of memory-safety points.
Again in December of 2023, the Cybersecurity and Infrastructure Safety Company (CISA) revealed a report that included an inventory of memory-safe programming languages, amongst them was the Python programming language.
The Python Software program Basis’s response to the US Authorities’s Request for Data famous Python’s memory-safety and talent to wrap code written in C, C++, and Rust amongst different methods languages. A part of Python’s recognition stems from the big variety of community-maintained packages utilizing this characteristic for efficiency, wrapping current libraries, and low-level API entry.
Cryptography is without doubt one of the most trusted Python libraries for cryptographic primitives, put in almost 10 million instances per day. Cryptography began migrating from utilizing C to Rust for safety causes in 2020 and made the primary launch with Rust binary extensions in 2021. You may hearken to maintainers Paul Kehrer and Alex Gaynor focus on this non-trivial migration of their PyCon 2022 speak.
The migration of the cryptography library included instruments like PyO3 and setuptools-rust that allow simpler adoption of Rust binary extensions. There’s already loads of buzz for utilizing Rust and Python collectively, the adoption of Rust in Python packages is steadily rising from the one digits in 2020 to as we speak with tons of of packages utilizing Rust.
There are numerous alternatives to find out about writing Python binary extensions utilizing Rust, for instance, at PyCon US 2024 there might be a tutorial about getting began with PyO3 and a speak on PyO3 and maturin, a PEP 517 construct backend for Rust by a maintainer of the PyO3 venture.
Traditionally Python binary extensions have been constructed largely utilizing C and C++ that means there are various initiatives which, for causes like backwards compatibility or lack of sources and time, can not or don’t need to migrate to Rust. For these initiatives, the usage of compiler choices can harden binaries towards some reminiscence questions of safety. The OpenSSF Finest Practices working group has revealed an inventory of compiler choices to think about adopting to be able to harden builds of C and C++ code.
There may be nonetheless a lot work to be achieved to safe the Python ecosystem and it may possibly’t be achieved with out our wonderful neighborhood of contributors and maintainers. We look ahead to extra funding on this space as a part of the industries’ adoption of memory-safe programming languages. In case you are concerned about being a part of conversations round enhancing safety in Python, we invite you to open a thread on focus on.python.org.
