Visualizing CPython Release Process

Episode Deep Dive

Guest introduction and background

Seth Michael Larson: Seth is the Python Software Foundation’s inaugural Security Developer in Residence. His work is funded by the OpenSSF Alpha-Omega project and involves ensuring that Python, PyPI, and related open-source components stay secure. He also maintains significant Python packages, including urllib3 (one of Python’s most-downloaded libraries). Seth’s role focuses on preventing supply chain attacks, improving release processes, and offering guidance on best security practices throughout the Python ecosystem.

What to Know If You’re New to Python

If you’re starting with Python, here are a few essential ideas covered in this episode to help you follow along:

• Understand that CPython is the reference implementation of the Python language. The discussion centers on how CPython is packaged and released.
• Realize that volunteer developers build and test Python for multiple platforms.
• Learn that release candidates precede the final version, ensuring robust testing.
• Look out for security best practices around installing Python and its packages.

Key points and takeaways

1. Inside the CPython Release Process The discussion opens with an exploration of how the official Python distribution (a.k.a. CPython) is released each year. Seth explains how volunteers coordinate, freeze code changes, and run checks before publishing binaries. This is done to ensure new versions are stable and secure.
   • Links and tools:
     • PEP 101 and PEP 102
     • python.org
2. Security at the Heart of Python Seth’s core mission involves spotting potential security weaknesses in the build and release process. He focuses on verifying that what users download is exactly what was tested and approved, ensuring no malicious code sneaks in. This focus on “supply chain security” includes signing builds and verifying cryptographic checks.
   • Links and tools:
     • Sigstore
     • best.openssf.org
     • OpenSSF Alpha-Omega
3. Comparing Windows vs. macOS Releases The release process differs across platforms. Windows builds rely on Azure Pipelines for automation, enabling more standardized and reproducible installers. By contrast, macOS installers are still built on a local machine and notarized via Apple’s tooling. Both approaches include code signing, yet each faces unique challenges.
   • Links and tools:
     • Azure Pipelines
     • macOS Notarization (Apple Developer Portal)
4. Tagging, Testing, and Final Sign-Off Before the official release, there is thorough testing on each platform. Once testing checks out, maintainers sign the artifacts with GPG and/or Sigstore. Only after these final steps do they push the official “release” tag to GitHub, preventing any confusion from partial or failed release attempts.
   • Links and tools:
     • GPG
     • GitHub
5. Volunteer Contributors and Coordinator Roles Seth highlights that much of Python’s maintenance is driven by volunteers. Distinct roles—like Windows Release Manager, macOS experts, and security developers—coordinate in tandem. The diversity of volunteer backgrounds helps keep Python vibrant and covers many corner cases for each OS and platform.
   • Links and tools:
     • Python Software Foundation
6. Spotlighting pip-audit for Dependency Security One standout security tip is using pip-audit to keep track of vulnerabilities in your Python dependencies. Seth explains that it scans installed packages (and their versions) for known issues and suggests safer, updated alternatives.
   • Links and tools:
     • pip-audit on GitHub
7. Potential Process Improvements There is a push to make macOS and local build steps more reproducible, similar to how Windows is built on Azure. Efforts include exploring Docker or standardized virtual machines to reduce differences between local environments and official releases.
   • Links and tools:
     • Docker
8. Python 3.12 Features and Release Timing This new release focuses on performance enhancements, refined F-strings, and better typing support. Python 3.12 was slated for an October 2, 2023 release after multiple beta and RC phases—illustrating the thoroughness of the whole pipeline.
   • Links and tools:
     • Python 3.11: A Guided Tour Through Code (Talk Python Training) (While titled 3.11, the course covers modern Python features relevant to understanding 3.12’s evolution.)

Interesting quotes and stories

• On open source speed vs. reliability: Seth points out that “open source is huge… but you can’t just assign volunteers work.” This highlights Python’s reliance on a passionate but distributed team.
• Security vs. convenience: “Upgrading dependencies might not be easy when pinned versions conflict, but it’s worth it for security,” underscores the trade-offs often faced by development teams.

Key definitions and terms

• PEP (Python Enhancement Proposal): A design document providing information to the Python community or describing a new feature for Python.
• Notarization (macOS): Apple’s process of scanning software for malicious components, needed before distribution outside the App Store.
• Supply Chain Security: Ensuring that every step—coding, building, packaging, and releasing—remains free of unauthorized or malicious changes.
• Mutual TLS (mTLS): A security protocol where both client and server authenticate each other’s certificates.

Learning resources

Here are some curated resources for going deeper into Python security, packaging, and project workflows (with appended querystrings):

• Python for Absolute Beginners: If you need a thorough, hands-on start to Python fundamentals.

Overall Takeaway

This conversation illustrates Python’s detailed and volunteer-driven release process, emphasizing how much attention goes into security, consistency, and trustworthiness. From Azure Pipelines for Windows builds to local macOS notarization and cryptographic signing, every step aims to protect users from supply chain attacks. The discussion also underscores how a coordinated community approach, combined with practical tooling (like pip-audit), keeps Python robust, reliable, and continually improving.