Steering Council nomination: Christian Heimes (2021 term)

I’m nominating myself for the upcoming 2021 term of the Steering Council.

Online presence


For the most part my nomination is similar to my 2020 nomination. Mentionable updates are

  • I joined the new Diversity & Inclusion Working Group (to be announced soon).

  • In mid to long-term Python should focus more on performance, mobile platforms, and sustainability of core development. Therefore I’m in favor of paid work and more automation. I also recognize that money can cause conflicts in a volunteer-driven project such as CPython.

  • I support the decisions of the 2020 Steering Council in recent CoC violation cases.

  • New PEP 644 Require OpenSSL 1.1 or newer

  • My involvement in the design and creation of the new Fedora Account System for CentOS, Fedora, and OpenSUSE communities.

  • more events and conference talks

Python core development

I joined the core team in late 2007. In the early years I made substantial contributions to Python 3000 and took care of backports to Python 2 with the infamous svnmerge tool. Some of my early contributions include the b’’ string prefix for Python 2 and improvements for math and float like float(‘inf’). I also ported the Windows builds from Visual Studio 2003 to VS 2008 and reshaped the PCbuild directory.

Since CVE-2012-1150 I’m a member of the Python Security Response Team (PSRT). In my role as PSRT member I triage incoming security bug reports and work with reporters to fix security bugs.

I’m the maintainer of the ssl module and co-maintainer of the hashlib module. Amongst others I ported Python to new OpenSSL 1.1 APIs, added TLS 1.3 support, fixed several issues related to hostname verification, and recently made both modules compatible with strict crypto policies and FIPS. I also added support for sha3, shake, and blake2 to the hashlib module.

In the past 13 years I have authored five PEPs, co-authored three additional PEPs, and was the BDFL-delegate of one PEP.

  • PEP 369 Post import hooks (withdrawn)

  • PEP-370 Per user site-packages directory (finished). The feature implements the logic behind python install --user and pip install --user

  • PEP-452 API for Cryptographic Hash Functions v2.0 (based on AMKs PEP 247, finished)

  • PEP-456 Secure and interchangeable hash algorithm (finished). Fix for hash collision attacks (CVE-2012-1150, CVE-2013-7040)

  • PEP-543 A Unified TLS API for Python (with Cory Benfield, withdrawn)

  • PEP-578 Python Runtime Audit Hooks (BDFL-delegate, finished)

  • PEP 594 Removing dead batteries from the standard library (open)

  • PEP 644 Require OpenSSL 1.1 or newer

  • PEP-8001 Python Governance Voting Process (co-author, accepted)

Python community and contributions

Since 2008 I’m a member and fellow of the Python Software Foundation. Just recently I joined the new Diversity & Inclusion Working Group, which was formed to further the PSF’s mission to ‘support and facilitate the growth of a diverse and international community of Python programmers’. The WG will be officially announced soon.

Besides Python core I also maintain or contribute to other Python packages. I’m the author and maintainer of defusedxml, which explains various XML attacks and protects Python’s stdlib against them. The package is in the top 200 PyPI packages and has more than 5 million downloads per month. I created pysha3, which is now an internal module of Python’s stdlib.

Before I became a Python core developer I was a core contributor to Zope and Plone Content Management System since 2002.

I enjoy attending conferences and giving talks. In the past years I gave one keynote, talks at over 20 events, attended more than five sprints, and represented Python core at the Github Satellite event in Berlin. The events are ConFoo Montreal 18/19/20, DevConf Czechia 18/19, DevConf India 18/19, EuroPython Cardiff and Basel, PyCon Belarus, Pizza Python Hamburg, PyCaribbean Santo Domingo, PyCon Czechia, PyCon Italy, PyCon US Cleveland 18/19 (with Language Summit and sprints), PyCon Russia, Python Language Summit 2020, Python Core Developer sprints in 2017 to 2020, PyGotham New York, PyLondinium in London, Nest With Fedora (Flock online).

Current employer

I’m employed by Red Hat (owned by IBM) as a Principal Software Engineer in the platform identity management and security engineering department. I mainly work on the core of identity management system FreeIPA and integration of FreeIPA with other software stacks like OpenShift Container Platform. FreeIPA consists of 389-DS LDAP server, Dogtag PKI certificate system, MIT Kerberos, SSSD, and more technologies written in Python, C, Java, and JavaScript.

I also played a key role in the design and implementation of the new Fedora Account System, an IdM, AAA (authentication, authorization, access control) and Single Sign-On system based on FreeIPA, Ipsilon, and Flask. The new FAS is an Open Source project that will power the CentOS, Fedora, and OpenSUSE community platforms.

As part of my job I also maintain packages for RHEL and Fedora. The tasks include packaging open source code for the distributions (downstream) as well as fixing bugs and submitting patches to projects (upstream). Red Hat has a strong “upstream first” policy. All my code is open source.

Unlike others like Victor Stinner or Brett Cannon I don’t have a formal agreement that I’m permitted to dedicate a fixed amount of work time to other open source projects. I’m still able and allowed to dedicate some work time to Python, because the security of Python and certain improvements are of mutual interest to my employer, too. I also assist the Python maintenance team sometimes and act as a liaison between Red Hat product security and Python Security Response Team. My manager lets me attend conferences and events like the language summit on work time, too.


My agenda for the steering council can be summarized as “protect and stabilize the base”. I care less about new language features for the upcoming term. In my opinion it is more important to focus on stable API/ABI on one hand and a multi-year effort to improve the performance of the CPython runtime on the other hand. This agenda would also give alternative implementations like PyPy give a chance to catch up. Sustainability of core development and community concerns me, too.

Python has come far and is now (depending on the metrics) third or second most popular programming language. It has become a dominant language in all sorts of areas from teaching kids how to code to groundbreaking scientific discoveries like gravitational waves and the first picture of a black hole. The communities around NumPy, SciPy, and Jupyter have enabled Python to become one of the major languages for data science and artificial intelligence besides R and Julia. For me these facts indicates that Python as a language has become mature. It’s the implementation and delivery mechanisms that have to evolve in order to stay competitive with languages like Java, JavaScript, and Go.

  • Performance is pivotal for the future of Python. Users have criticised the lack of concurrency and high memory usage in CPythons. Proposals like gilectomy, subinterpreters, tagged pointers, or replacing reference counting with GC could advance CPython a lot. They are also major undertakings that cannot be implemented by a single developer in her or his free time. I think that paid and funded development is a viable way to tackle these hard problems.

  • CPython is developed and maintained by volunteers, mostly in their free time. A handful can spend some work time. I like to support avenues that reduce the burden on core devs like more automation, reducing the stdlib (e.g. my PEP 594), more automation like automatic code formatting, and onboarding of new members to spread our workload.

  • Python’s weak spots are browsers and mobile devices. I’m not qualified to improve the situation myself, but I like to support developers like Russel to make Python programs usable in browsers, Android, iOS, and similar platforms.

  • I consider packaging and PyPI another critical element of Python’s future. The Python Packaging Authority and PSF infrastructure team handle these areas well. As a steering council member I would trust their expertise and delegate packaging-related decisions.

  • Corporate sponsorship is necessary sooner rather than later. I completely share Thomas Wouters’ vision for paid work and funding. I’m also in favor for paid efforts like Mark Shannon’s faster python proposal.

  • Finally, the Python community is a major and crucial element of Python’s success story. Therefore I support any and all efforts that keeps/makes Python an open, inclusive, diverse, and welcoming community. I also support the decisions of the 2020 Steering Council in recent CoC incidents.