Han shot first (Friends)

What It Covers

Brett Cannon discusses his six-year journey creating Python's standardized lock file format (PEP), navigating the Python Steering Council's governance structure, and the rise of UV and Astral in the Python ecosystem. The conversation explores voting systems, package management complexity, and the challenges of standardizing tools across a volunteer-driven community with competing workflow solutions.

Key Questions Answered

• •Lock File Standardization Timeline: Brett spent four years (six from initial Twitter mention) developing PyLock.toml, a standardized lock file format for Python. The delay stemmed from needing to reimplement PIP from scratch as a proof of concept, including writing a custom resolver and metadata reader, because PIP's components weren't available as reusable libraries. The first attempt failed when the community rejected a security-focused approach that excluded source distributions, forcing a complete restart.
• •Python Packaging Complexity: Python's packaging system handles prebuilt binaries for C code across platforms, solving problems other ecosystems haven't addressed. This creates complexity around version compatibility, platform-specific dependencies, and flat namespace requirements (one version per package). Node's package-lock.json couldn't be adapted because Python allows multiple binary versions per platform, requires handling Mac-specific versus Windows-specific packages, and maintains a flat namespace unlike Node's nested node_modules structure.
• •Steering Council Governance Model: Python's five-seat steering council operates through annual elections using STAR voting (Score Then Automatic Runoff), where candidates are rated zero to five. The council serves as final arbiter for Python Enhancement Proposals (PEPs) but has devolved packaging decisions permanently to specialized delegates. Only six candidates ran for five seats in the most recent election, suggesting time commitment and code of conduct enforcement responsibilities deter volunteers.
• •Workflow Tool Evolution: UV, Hatch, and PDM popularized unified workflow tools that handle Python installation, virtual environment creation, and dependency management in single commands (like "uv run"). These tools leverage Python Build Standalone to auto-download relocatable Python binaries, eliminating the multi-step process of manual Python installation, virtual environment setup, and package installation. UV's performance and marketing created rapid adoption, raising concerns about vendor lock-in despite MIT licensing.
• •Voting System Selection Crisis: Choosing Python's governance model after Guido van Rossum's resignation took four months (July to November) and caused significant stress among core developers. The team had to decide how to decide without any existing voting mechanism, relying on mailing list consensus and "soft power" from long-time contributors. The final choice was approval voting initially, later switching to STAR voting to allow preference expression beyond binary approve/reject decisions.
• •Open Source Sustainability Challenges: The Python Steering Council faces declining volunteer participation, with only six candidates for five seats, partly due to code of conduct enforcement requirements. Members must handle reports about community members, learning information they'd prefer not to know, even when issues don't warrant action. This emotional labor, combined with weekly meetings, office hours, and PEP review responsibilities, creates barriers to participation in volunteer-driven governance.
• •Enterprise Integration Strategy: Brett works to prevent UV vendor lock-in by standardizing virtual environment locations and getting python.org to distribute prebuilt binaries, not just Python Build Standalone. The goal is making UV an option rather than requirement, allowing Astral to focus on enterprise features (like private package indexes) while the community maintains baseline functionality. This approach mirrors successful open source models where companies serve enterprise needs without controlling core infrastructure.