Steering Council nomination: Christian Heimes (2020 term)

I’m nominating myself for the upcoming 2020 term of the Steering Council.

Brett and Guido had asked me to put myself up for voting in the previous election. Since there were plenty of candidates from the Python core team already, I decided against nominating myself. Instead I reached out to non-core developers in an attempt to make the steering council more diverse. The lack of candidates on Wednesday motivated me to throw my hat in the ring.

Online presence

Python core development

I joined the core team in late 2007. In the early years I made substantial contributions to Python 3000 and took care of backports to Python 2 with the infamous svnmerge tool. Some of my early contributions include the b’’ string prefix for Python 2 and improvements for math and float like float(‘inf’). I also ported the Windows builds from Visual Studio 2003 to VS 2008 and reshaped the PCbuild directory.

Since CVE-2012-1150 I’m a member of the Python Security Response Team (PSRT). In my role as PSRT member I triage incoming security bug reports and work with reporters to fix security bugs.

I’m the maintainer of the ssl module and co-maintainer of the hashlib module. Amongst others I ported Python to new OpenSSL 1.1 APIs, added TLS 1.3 support, fixed several issues related to hostname verification, and recently made both modules compatible with strict crypto policies and FIPS. I also added support for sha3, shake, and blake2 to the hashlib module.

In the past 12 years I have authored four PEPs, co-authored three additional PEPs, and was the BDFL-delegate of one PEP.

  • PEP 369 Post import hooks (withdrawn)
  • PEP-370 Per user site-packages directory (finished)
    • The feature implements the logic behind python install --user and pip install --user
  • PEP-452 API for Cryptographic Hash Functions v2.0 (based on AMKs PEP 247, finished)
  • PEP-456 Secure and interchangeable hash algorithm (finished)
    • Fix for hash collision attacks (CVE-2012-1150, CVE-2013-7040)
  • PEP-543 A Unified TLS API for Python (with Cory Benfield, open)
  • PEP-578 Python Runtime Audit Hooks (BDFL-delegate, finished)
  • PEP 594 Removing dead batteries from the standard library (open)
  • PEP-8001 Python Governance Voting Process (co-author, accepted)

Python community and contributions

Since 2008 I’m a member and fellow of the Python Software Foundation.

Besides Python core I also maintain or contribute to other Python packages. I’m the author and maintainer of defusedxml, which explains various XML attacks and protects Python’s stdlib against them. The package is in the top 200 PyPI packages and has more than 5 million downloads per month. I created pysha3, which is now an internal module of Python’s stdlib.

Before I became a Python core developer I was a core contributor to Zope and Plone Content Management System since 2002.

I enjoy attending conferences and giving talks. In the last two years I gave one keynote, 19 talks at 17 events, attended more than five sprints, and represented Python core at the Github Satellite event in Berlin. The events are ConFoo Montreal 18/19, DevConf Czechia 18/19, DevConf India 18/19, EuroPython Cardiff and Basel, Pizza Python Hamburg, PyCaribbean Santo Domingo, PyCon Czechia, PyCon Italy, PyCon US Cleveland 18/19 (with Language Summit and sprints), PyCon Russia, Python Core Developer sprints in Seattle and London, PyGotham New York, and PyLondinium in London.

Current employer

I’m employed by Red Hat (now owned by IBM) as a Principal Software Engineer in the platform identity management and security engineering department. I mainly work on the core of identity management system FreeIPA and integration of FreeIPA with other software stacks. FreeIPA consists of 389-DS LDAP server, Dogtag PKI certificate system, MIT Kerberos, SSSD, and more technologies written in Python, C, Java, and JavaScript.

As part of my job I also maintain packages for RHEL and Fedora. The tasks include packaging open source code for the distributions (downstream) as well as fixing bugs and submitting patches to projects (upstream). Red Hat has a strong “upstream first” policy. All my code is open source.

Unlike others like Victor Stinner or Brett Cannon I don’t have a formal agreement that I’m permitted to dedicate a fixed amount of work time to other open source projects. I’m still able and allowed to dedicate some work time to Python, because the security of Python and certain improvements are of mutual interest to my employer, too. I also assist the Python maintenance team sometimes and act as a liaison between Red Hat product security and Python Security Response Team. My manager lets me attend conferences and events like the language summit on work time, too.


My agenda for the steering council can be summarized as “protect and stabilize the base”. I care less about new language features for the upcoming term. In my opinion it is more important to focus on stable API/ABI on one hand and a multi-year effort to improve the performance of the CPython runtime on the other hand. This agenda would also give alternative implementations like PyPy give a chance to catch up. Sustainability of core development and community concerns me, too.

Python has come far and is now (depending on the metrics) third or second most popular programming language. It has become a dominant language in all sorts of areas from teaching kids how to code to groundbreaking scientific discoveries like gravitational waves and the first picture of a black hole. The communities around NumPy, SciPy, and Jupyter have enabled Python to become one of the major languages for data science and artificial intelligence besides R and Julia. For me these facts indicates that Python as a language has become mature. It’s the implementation and delivery mechanisms that have to evolve in order to stay competitive with languages like Java, JavaScript, and Go.

  • Performance is pivotal for the future of Python. Users have criticised the lack of concurrency and high memory usage in CPythons. Proposals like gilectomy, subinterpreters, tagged pointers, or replacing reference counting with GC could advance CPython a lot. They are also major undertakings that cannot be implemented by a single developer in her or his free time. I think that paid and funded development is viable way to tackle these hard problems.
  • CPython is developed and maintained by volunteers, mostly in their free time. A handful can spend some work time. I like to support avenues that reduce the burden on core devs like more automation, reducing the stdlib (e.g. my PEP 594), and onboarding of new members to spread our workload.
  • Python’s weak spots are browsers and mobile devices. I’m not qualified to improve the situation myself, but I like to support developers like Russel to make Python programs usable in browsers, Android, iOS, and similar platforms.
  • I consider packaging and PyPI another critical element of Python’s future. The Python Packaging Authority and PSF infrastructure team handle these areas well. As a steering council member I would trust their expertise and delegate packaging-related decisions.
  • Corporate sponsorship is necessary sooner rather than later. I completely share Thomas Wouters’ vision for paid work and funding.
  • Finally, the Python community is a major and crucial element of Python’s success story. Therefore I support any and all efforts that keeps/makes Python an open, inclusive, diverse, and welcoming community.

FYI, this is in the wrong category, but since the Steering Council Nominations category is moderated, I can’t put it in there. I expect a site admin will have to edit this post to move it there.

I just realized that myself. I must have accidentally selected the wrong category. Now I can neither move nor delete my post. Let’s wait for a site admin to move it to the correct spot.

I’ve moved the post.