Python programming language: Google funds projects aimed at supply-chain security

Google steps up its sponsorship of one of the most popular and important languages for machine learning and artificial intelligence.
Written by Liam Tung, Contributing Writer

Python is critically important to both Google Cloud and, therefore, to users of Google Cloud, and is also used by the search engine giant internally to power many of its core products and services.

Now Google is making a $350,000 donation to support some Python Software Foundation (PSF) projects that aim to improve the supply-chain security of the Python ecosystem.

PSF is the non-profit organization that supports the programming language, which is now more popular than Java, according to some popularity rankings

SEE: Hiring Kit: Python developer (TechRepublic Premium)

Python is big with data scientists thanks to add-ons like NumPy, but it's less widely used for mobile app and web app development, where JavaScript and TypeScript shine.  

Google's additional support for PSF targets three areas, including stopping the distribution of malware via Python Package Index (PyPI), PSF's official repository of software add-ons for Python.  

The support includes malware detection for PyPI, improvements to core Python tools and services, and the contribution of a CPython (Core Python) developer-in-residence role for 2021. 

The role is full-time and aims to help the CPython project prioritize maintenance and address its backlog of issues.

The Python Steering Council and Python Software Foundation will work together to hire a developer to help CPython prioritize tasks and understand how the backlog can be addressed. 

The developer will also survey maintainers to get a better picture of CPython, which will be used to ensure future funding and volunteer hours are allocated effectively. 

As PSF explains, Google's extra sponsorship funds will be used to address "critical supply-chain security improvements, including developing productized malware detection for PyPI, a prototype of dynamic analysis infrastructure for distributions, and other foundational tool improvements."

Software distribution supply-chain attacks have come in to focus after enterprise software maker SolarWinds got hacked by suspected Russian attackers. The attackers exploited its Orion infrastructure-monitoring software updates to plant a backdoor in organizations of interest. 

Python packages have also been used to distribute malware targeting the financial sector.  

Google has sponsored PSF since 2010 and becomes the open source language's first "visionary sponsor". Python was created in 1989 by Guido van Rossum who returned from retirement last year to work for Microsoft's expanding open-source teams. Previously, he'd headed up Python efforts at Dropbox

Van Rossum stepped down as Python's Benevolent Dictator for Life (BDFL) in 2018. Other key sponsors of Python include Salesforce, Fastly, Bloomberg, and Microsoft Azure. 

SEE: Digital transformation: The new rules for getting projects done

Google is also donating Google Cloud infrastructure to PSF to support PSF operations, such as the Python Package Index.

"Google Cloud has given us access to crucial peering agreements via Cloud Storage that allow us to cost effectively serve PyPI downloads while being good stewards of the limited resources we have from other infrastructure providers," said Ee Durbin, director of infrastructure, Python Software Foundation. 

"Publishing PyPI's analytics as a public dataset on BigQuery has reduced the burden of supporting and managing access to information that has proven critical to maintainers of libraries as well as the team that keeps PyPI online," added Durbin. 

Editorial standards