I’m nominating myself for the upcoming 2020 term of the Steering Council.
Brett and Guido had asked me to put myself up for voting in the previous election. Since there were plenty of candidates from the Python core team already, I decided against nominating myself. Instead I reached out to non-core developers in an attempt to make the steering council more diverse. The lack of candidates on Wednesday motivated me to throw my hat in the ring.
Python core development
I joined the core team in late 2007. In the early years I made substantial contributions to Python 3000 and took care of backports to Python 2 with the infamous svnmerge tool. Some of my early contributions include the b’’ string prefix for Python 2 and improvements for math and float like float(‘inf’). I also ported the Windows builds from Visual Studio 2003 to VS 2008 and reshaped the PCbuild directory.
Since CVE-2012-1150 I’m a member of the Python Security Response Team (PSRT). In my role as PSRT member I triage incoming security bug reports and work with reporters to fix security bugs.
I’m the maintainer of the ssl module and co-maintainer of the hashlib module. Amongst others I ported Python to new OpenSSL 1.1 APIs, added TLS 1.3 support, fixed several issues related to hostname verification, and recently made both modules compatible with strict crypto policies and FIPS. I also added support for sha3, shake, and blake2 to the hashlib module.
In the past 12 years I have authored four PEPs, co-authored three additional PEPs, and was the BDFL-delegate of one PEP.
- PEP 369 Post import hooks (withdrawn)
PEP-370 Per user site-packages directory (finished)
- The feature implements the logic behind python setup.py install --user and pip install --user
- PEP-452 API for Cryptographic Hash Functions v2.0 (based on AMKs PEP 247, finished)
PEP-456 Secure and interchangeable hash algorithm (finished)
- Fix for hash collision attacks (CVE-2012-1150, CVE-2013-7040)
- PEP-543 A Unified TLS API for Python (with Cory Benfield, open)
- PEP-578 Python Runtime Audit Hooks (BDFL-delegate, finished)
- PEP 594 Removing dead batteries from the standard library (open)
- PEP-8001 Python Governance Voting Process (co-author, accepted)
Python community and contributions
Since 2008 I’m a member and fellow of the Python Software Foundation.
Besides Python core I also maintain or contribute to other Python packages. I’m the author and maintainer of defusedxml, which explains various XML attacks and protects Python’s stdlib against them. The package is in the top 200 PyPI packages and has more than 5 million downloads per month. I created pysha3, which is now an internal module of Python’s stdlib.
Before I became a Python core developer I was a core contributor to Zope and Plone Content Management System since 2002.
I enjoy attending conferences and giving talks. In the last two years I gave one keynote, 19 talks at 17 events, attended more than five sprints, and represented Python core at the Github Satellite event in Berlin. The events are ConFoo Montreal 18/19, DevConf Czechia 18/19, DevConf India 18/19, EuroPython Cardiff and Basel, Pizza Python Hamburg, PyCaribbean Santo Domingo, PyCon Czechia, PyCon Italy, PyCon US Cleveland 18/19 (with Language Summit and sprints), PyCon Russia, Python Core Developer sprints in Seattle and London, PyGotham New York, and PyLondinium in London.
As part of my job I also maintain packages for RHEL and Fedora. The tasks include packaging open source code for the distributions (downstream) as well as fixing bugs and submitting patches to projects (upstream). Red Hat has a strong “upstream first” policy. All my code is open source.
Unlike others like Victor Stinner or Brett Cannon I don’t have a formal agreement that I’m permitted to dedicate a fixed amount of work time to other open source projects. I’m still able and allowed to dedicate some work time to Python, because the security of Python and certain improvements are of mutual interest to my employer, too. I also assist the Python maintenance team sometimes and act as a liaison between Red Hat product security and Python Security Response Team. My manager lets me attend conferences and events like the language summit on work time, too.
My agenda for the steering council can be summarized as “protect and stabilize the base”. I care less about new language features for the upcoming term. In my opinion it is more important to focus on stable API/ABI on one hand and a multi-year effort to improve the performance of the CPython runtime on the other hand. This agenda would also give alternative implementations like PyPy give a chance to catch up. Sustainability of core development and community concerns me, too.
- Performance is pivotal for the future of Python. Users have criticised the lack of concurrency and high memory usage in CPythons. Proposals like gilectomy, subinterpreters, tagged pointers, or replacing reference counting with GC could advance CPython a lot. They are also major undertakings that cannot be implemented by a single developer in her or his free time. I think that paid and funded development is viable way to tackle these hard problems.
- CPython is developed and maintained by volunteers, mostly in their free time. A handful can spend some work time. I like to support avenues that reduce the burden on core devs like more automation, reducing the stdlib (e.g. my PEP 594), and onboarding of new members to spread our workload.
- Python’s weak spots are browsers and mobile devices. I’m not qualified to improve the situation myself, but I like to support developers like Russel to make Python programs usable in browsers, Android, iOS, and similar platforms.
- I consider packaging and PyPI another critical element of Python’s future. The Python Packaging Authority and PSF infrastructure team handle these areas well. As a steering council member I would trust their expertise and delegate packaging-related decisions.
- Corporate sponsorship is necessary sooner rather than later. I completely share Thomas Wouters’ vision for paid work and funding.
- Finally, the Python community is a major and crucial element of Python’s success story. Therefore I support any and all efforts that keeps/makes Python an open, inclusive, diverse, and welcoming community.