âď¸ MORE TECHNICAL DEVELOPMENT
With two new CPython developers-in-residence, Petr Viktorin and Serhiy Storchaka, joining Senior Developer-in-Residence Ĺukasz Langaâs team, expect great strides in core development and community facilitation.
The Python Software Foundation is the organization behind Python. The PSF is an open membership organization, and we are made up of, governed, and led by the community. We exist to support the full Python ecosystem and community, for all uses and users of Python. If you contribute to the Python community in any way, whether as a member of the PSF, a PSF sponsor, a developer, an educator, a member of a local Python group, an organizer or attendee of a PyCon or other Python event, you are a part of the PSF and you make the work we do possible.
Our mission is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers.
THIS YEARâS ANNUAL IMPACT REPORT WAS DESIGNED AND REVIEWED FOR ACCESSIBILITY. IF YOU HAVE FEEDBACK ABOUT HOW WE CAN IMPROVE, PLEASE SEND AN EMAIL TO psf@python.org.
The PSF provides the structure and stability that the Python language, its contributors and users need to thrive.
Looking forward, the PSF aims to help the Python ecosystem grow and thrive by reaching and welcoming an ever larger and more diverse group of Pythonistas to enjoy using Python and being part of our community.
BY DEB NICHOLSON, EXECUTIVE DIRECTOR
We brought on Seth, Mike, Marisa, and Marie in 2023, and in January of 2024 we
also added two more people
for the CPython team, Petr and Serhiy
â welcome aboard!
This increased capacity at our small but
mighty organization has enabled us to
do more of the things we
know are needed for Pythonâs continued success.
You may have read that we have been working hard to provide better security and service to CPython and PyPI users. Thanks to Seth Larsonâs hard work, we became a CNA this year, which makes it easier for any party to report a vulnerability, use secure versions of Python, and apply remediations and patches. And thanks to Mike Fiedlerâs tireless dedication, we rolled out 2FA for all users on PyPI.
Weâve now got the capacity in house to write grants and have started seeing where we can collaborate. Weâre grateful for partnerships with the Alpha-Omega project, AWS, Bloomberg, and Georgetown University for funding for three of the new technical roles I mentioned at the start of this letter, as well as Metaâs ongoing funding for the CPython Developer in Residenceâitâs been transformative to be able to go from a vision from the community of what a role could look like to bringing people on board to seeing steady, tangible progress against the communitiesâ long term priorities. Loren Crary is leading the charge to find more entities that both care deeply about Python and are interested in funding our work. Weâre looking at both government and academic partnerships and are actively building the relationships that will take our work to the next level.
Marie Nordin has helped us revive the PSF Newsletter. Under Laura Gravesâ and the Grants Work Groupâs stewardship, we gave out $374K in grants this year and began a journey to revitalize the Grants Program with a goal of better serving all the parts of our community, especially where thereâs the most opportunity for our support to create an impact. In 2024, Marie and Laura will be working together with the Grants Working Group to see that the Grants Program continues to grow and thrive. We also gave out a record amount of travel grants ($280K) at PyCon US 2023 (with $50K provided by PyLadies) and PyCascades.
This was a big year for new fiscal sponsorees as Python Meetups and other local events started to really bounce back from the early days of the pandemic when in-person activity had really dwindled. Our Accounting TeamâPhyllis Dobbs, Laura Graves, and Joe Careyâonboarded Bandit, BAPyA (Bay Area Python Groups), ChiPy, Denver Python User Group, North Bay Python, PyOhio, and Twisted in 2023. We welcome all of our new fiscal sponsorees and are excited to work with each organizing team.
We celebrated the 20th anniversary of PyCon US, welcoming 2,159 attendees in Salt Lake City, and 491 joining the online event. From the first tutorial session to the last day of sprints, we learned, connected, collaborated, and had a lot of fun. Under our Program Director Olivia Saulsâ leadership, a huge team of volunteers, speakers, presenters, staff, and sponsors came together to make it all possible, and the attendees brought their curiosity, knowledge, friendliness, and that special PyCon US energy that makes it a highlight of each year.
The PSF worked with the wider open source community to address the parts of the EUâs proposed Cyber Resilience Act that seemed potentially detrimental for our community. Through discussion and education, the final version of the law had much better clarity on who should be responsible for open source software security. Weâve also been following the conversation around cyber-security in the US. âThe US government invited us to participate in a call for information about how we approach and solve security issues.
With two new CPython developers-in-residence, Petr Viktorin and Serhiy Storchaka, joining Senior Developer-in-Residence Ĺukasz Langaâs team, expect great strides in core development and community facilitation.
Ee Durbin continues working with our Security staff, overseeing Seth Larson and Mike Fiedler as we build long-lasting, community-driven security on both the CPython side and PyPI side. Expect lots of updates and requests for input as we push forward to meet the evolving needs of Python contributors, users, and package maintainers.
After prompting from community members, we began a process of reviewing and reorganizing our Grants Program. We want to make sure that our application process is as smooth and transparent as possible and ensure that we are serving the communityâs needs while recognizing and supporting the diversity of Python users around the world. If you have questions, ideas, or want to help, please let us know. We welcome you to join the PSF Grants Program Office Hours on Discord.
We want to spend more time celebrating community members and contributors that make Python so special. We need to hear from you about community members that we should be recognizing and lifting up! Please nominate your fellow Pythonistas for CSA or DSA Awards. Weâre also interested in supporting more community endeavors, like Podcats and your Hatchery plansâplease get in touch with your ideas!
One more lovely thing that happened this yearâwe received a GitHub Award under the Wonderfully Welcoming category in November! It was really gratifying to see our community recognized for something we collectively spend a lot of time on. We intend to continue expanding the universe of people who consider themselves part of our friendly community in 2024 and I hope youâll join us in doing an excellent job of welcoming the next batch of Pythonistas into the fold!
Yours for more of everything,
DEB
BY MARIATTA WIJAYA, PYCON US CHAIR
Back in 2015, I received financial aid through PyLadies for attending the conference, and it kickstarted my journey in the Python community.
Seeing many women speaking at PyCon US was what inspired me to start speaking at conferences too, which in turn started a new personal tradition of doing ice cream selfies after giving a talk at a conference as a way to reward myself.
It was also at PyCon US 2015 that I listened to the keynote speech from Guido van Rossum regarding diversity issues in the core Python team, and how at that point there were no women as Python core developers at all, and that the Python Language Summit was attended by 50 men. Up to that point I didnât even know that there was such a thing called âPython core developerâ. It made me realize that I didnât know much about the Python community at all. The speech inspired me to be more involved in the Python community and to eventually become a Python core developer myself.
I did not expect to one day be the one chairing the PyCon US conference myself. Without the financial aid and support from PyLadies and the Python community, I would not be where I am today.
BY DAWN WAGES, BOARD OF DIRECTORS, CHAIR
It is not always easy to accomplish these goals with our varying interests, expertise and ideas; but we have had many rewarding ends to conversations with our eyes fixed on supporting the Python Software Foundation and its members. The passion is shared among this wonderful board and itâs been an honor to serve in this role.
Weâre thrilled that our global interest in Latin American, Asian, and African Python events has meant closer relationships with regional leaders with specific requests to address the underrepresented global audience. We are ready to roll up our sleeves and continue to support the Python community globally. This year we invested a lot of time and energy into initiatives that connect the community. Join us for Grant Office Hours
BY ĹUKASZ LANGA
2023 was the year of collaborationâfrom CPython internals, through process improvements for Python development, all the way to fostering external contributions and expanding the Developer in Residence program.
The biggest news is the acceptance of PEP 703 by the Steering Council, and the resulting work towards bringing it to light. If youâre not familiar with the cryptic combination of a three-letter acronym and numbers, PEP 703 is the design document that describes how Python can make the Global Interpreter Lock (GIL) optional. Itâs a change of unprecedented magnitude in Python, and with that comes the need for unprecedented caution. Sam Gross, the author of the PEP, described not only a feasible way to build a usable Python without the GIL, but provided a proof-of-concept implementation. Ĺukasz supported the change from Day 1, helped with bringing it under discussion with other core developers, formalized it in the form of a PEP, and sponsored it under his role as a CPython developer.
At the same time, the core team is working on equally impressive changes like a Just-in-Time compiler, which requires additional testing. Ĺukasz worked on maintaining the buildbot fleet, improving the performance of the front-end, making the big memory Windows 11 buildbot more usable at time of Pull Requests, fixing macOS build failures, and triaging issues when they popped up. In particular, the big memory buildbot caught a number of unique bugs!
Ĺukasz joined Steve Dower as a member of the release team who prepares Windows installers. Weâre still on our way to do the same for macOS but in the meantime Ĺukasz started helping Anthony Sottile release freshly built Python versions on Ubuntu as part of Anthonyâs deadsnakes project. All in all, Ĺukasz was involved in essentially every release made in 2023.
At PyCon US 2023 we hosted the largest Python Language Summit in the history of PyCon US. Ĺukasz organized the Summit, including inviting external community members, some of whom became regular Python contributors! Every PyCon US ends with a sprint, and this time Ĺukasz supported newcomers who wanted to makeâŚ
their first contributions to Python. When the time came for EuroPython 2023 in Prague, Ĺukasz led the CPython sprint, which was so overflowing with contributors, we had to spill over to neighboring rooms.
The Python Core Developers met for a dedicated core sprint week in 2023 at Red Hat in Brno, Czechia. Organized by Petr Viktorin, this was a particularly fun and productive week. Ĺukasz worked with Mariatta Wijaya on upgrading some bots to serve as GitHub apps, which aligns them with the current requirements of the platform. During 2023, Ĺukasz reviewed and merged close to 500 pull requests within the Python organization on GitHub, most of them authored by other Core Developers.
A few of those upgrades were security improvements, like requiring second-factor authentication for all Python organization members on GitHub and adopting Sigstore as the technology to sign Python releases with signature and key transparency logs. Ĺukasz collaborates with Seth Larson, the PSF Security Developer-in-Residence, on a regular basis, as well as the Python Security Response Team.
Whatâs next? In late 2023, Ĺukasz got involved with upgrading speed.python.org, the platform to run and gather benchmarks of Python. It will need to become more powerful for the upcoming changes to Python. On top of that, work as a Developer-in-Residence has now transformed from a solo role into a team, which means more long-term planning is taking place to utilize our newly found development velocity.
BY SETH LARSON
Open source software supply chain security took off in 2023 including in the Python ecosystem.
Motivated by attacks on the software supply chain, exploitation of software vulnerabilities, and new regulations from governments, users are looking for solutions to maintain safety and integrity while participating in open source software ecosystems. Maintainers of open source want their projects to be secure, but in many cases there is a gap in time, resources, and tooling that stands in the way of holistic improvements.
To address these needs in the Python ecosystem, the Python Software Foundation hired Seth Larson as the inaugural Security Developer-in-Residence in June 2023. This position was possible thanks to grant funding from Alpha-Omega. The role has the mandate to improve the security posture of the entire Python ecosystem, including the Python runtime, Python packages, and infrastructure like the Python Package Index (PyPi). You can follow along with work being done on the PSF blog and Sethâs personal blog with frequent updates.
The first project was to improve Pythonâs ability to manage and publish vulnerabilities. Our vulnerability management process before was driven entirely by external organizations like MITRE who would assign CVEs on behalf of reporters, sometimes without consulting Pythonâs Security Response Team. This resulted in CVEs that sometimes were incorrect, confusing to users, or didnât contain all the information needed to remediate like patches and work-arounds.
âMaintainers of open source want their projects to be secure, but in many cases there is a gap in time, resources, & tooling that stands in the way of holistic improvements.â
Towards having more involvement in the vulnerability process, Seth worked to authorize the Python Software Foundation as a CVE Numbering Authority (CNA) capable of managing the CVEs for both Python and pip. Vulnerability advisories were now getting published to the security-announce@python.org mailing list and the distributed Open Source Vulnerability (OSV) database for automated querying of vulnerabilities affecting Python.
Next was a focus on hardening CPythonâs release process. Supply chain attacks against open source software tend to focus on the release process due to being ephemeral and thus difficult to detect an intrusion compared to merging attacks into the public source code. CPythonâs release process is quite complex, requiring multiple humans and services for each release, and there is potential to exploit many of these components.
There were multiple improvements made to the release process, including auditing Sigstore signatures of CPython artifacts for consistency, making builds of CPython reproducible byte-for-byte to detect injected code, and moving the build from release managersâ machines to an isolated and repeatable environment like GitHub Actions. All of this work happened with the involvement of Python release managers to ensure the process changes fit with their existing working model.
2024 is likely to bring new challenges and having full-time staffing to engage early will mean Python can continue being a leader regarding supply chain security. We look forward to continued interest and support of a secure Python ecosystem for everyone.
BY MIKE FIEDLER
PyPI is a massive project that has become a key digital infrastructure serving millions of users.
Mike Fiedler joined the PSF in August 2023 as our new PyPI Safety & Security Engineer. Mike was already a dedicated member of the Python packaging community: he has been a Python user for 15 years, maintains and contributes to open source, and became a PyPI maintainer in 2022. This critical role would not be possible without grant funding from AWS.
Petabytes
OF PACKAGES SERVED (THATâS EQUIVALENT TO ABOUT 65,000 YEARS OF VIDEO CONTENT)
Trillion
REQUESTS FLOWED THROUGH OUR FASTLY-SPONSORED CDN (AVERAGING ~36K REQUESTS PER SECOND)
Billion
DOWNLOADS FOR THE HALF MILLION PROJECTS ON PYPI (OVER 10 MILLION FILES)
We support the Python community by hosting resources & downloads on python.org, documentation on docs.python.org, packages on pypi.org, and much more.
In addition to these public facing resources, we also support the development workflows of CPython core developers, hosting of mailing lists on mail.python.org, and maintain and improve us.pycon.org for PyCon US. We also support the community by maintaining domain registration, DNS, mail, and more for our fiscal sponsorees as well as projects like PyPy and Jython.
In 2023 PyPI saw a 45% growth in download counts and bandwidth alike, serving 603,378,275 downloads for the 516,402 projects hosted there requiring 747.4 Petabytes of data transfer, or 189.6 Gbps of bandwidth 24x7x365.
The astounding traffic demands on the PSF infrastructure have continued to see year-over-year growth. Thanks to Fastly the teams that maintain the services we support, particularly PyPI, have nevertheless been able to focus on improvements and features, rather than scaling to that increased load. We are grateful to Fastly for making the online services that the PSF provides possible, so that we can invest time and resources into advancing our infrastructure to better meet community wants and needs.
Session Attendees
We had 2,159 in-person attendees and 491 online attendees! 1,705 first time attendees joined us!
PyCon US welcomed the Python community back to the Salt Palace Convention Center for the second year of PyCon US in Salt Lake City, Utah, and for the 20th Anniversary Celebration of PyCon US. The mountainscape and spring weather of Salt Lake City provided a beautiful backdrop for an energizing and inspirational 9-day PyCon US 2023 conference, filled with Tutorials, Talks, Sponsor Presentations, Sprints, Summits, and Keynotes, promoting the theme âBy the community, For the communityâ. This year, PyCon US reintroduced 4 days of the post-conference Development Sprints for the first time since gathering in-person again.
Live-streaming of the main conference days returned for the second year via the PyCon US 2023 virtual platform, Hubilo, with the new feature of providing access to all registered attendees, whether registered for online or in-person attendance. PyCon US was also able to provide live captioning for all tracks of the main conference days, including âlive-remoteâ captioning for our Spanish Charlas Track, to increase and promote diversity and accessibility for our community.
The PSF maintains a fiscal sponsorship program to support Python events and projects by providing a non-profit umbrella, handling back office needs, and facilitating donations so the projects can concentrate on furthering their goals. The program continued to grow in 2023, bringing on 7 new fiscal sponsorees, arriving at 20 amazing groups total.
âPSFâs support for PyCon Namibia has helped a fledging local software community grow into a confident, sustainable movement.â
- PyCon Namibia
(as of 2023 election)
May 15th-23rd
By the community, for the community
Pittsburgh, PA
In 2024, PyCon US will be held in Pittsburgh, Pennsylvania, at the David L. Lawrence Convention Center. Our attendees will join us online and in person for a program filled with tutorials, talks, sprints, summits, and keynotes presented by our community, celebrating our theme âBy the community, For the community.â For more details, visit the conference website.
CONSOLIDATED FINANCIAL STATEMENT
($ in thousands)
REVENUE | 2023 | 2022 |
---|---|---|
Program Service Revenue | $2,859 | $2,641 |
Contributions, Membership Dues, & Grants | $1,349 | $1,430 |
Other Revenue | $148 | $12 |
TOTAL REVENUE | $4,356 | $4,083 |
EXPENSES | 2023 | 2022 |
---|---|---|
Program Service Expenses | $2,690 | $2,207 |
Staffing | $1,305 | $928 |
Information Technology | $240 | $302 |
Insurance | $122 | $102 |
Legal | $42 | $90 |
Other Expenses | $109 | $69 |
TOTAL EXPENSES | $4,508 | $3,698 |
NET INCOME | 2023 | 2022 |
---|---|---|
NET INCOME | -$152 | $385 |
ASSETS | 2023 | 2022 |
---|---|---|
Cash and Cash Equivalents | $5,051 | $5,403 |
Accounts Receivable - Net | $265 | $237 |
Other Current Assets | $125 | $129 |
TOTAL ASSETS | $5,441 | $5,769 |
LIABILITIES | 2023 | 2022 |
---|---|---|
Deferred Revenue | $559 | $842 |
Accounts Payable & Liabilities | $178 | $130 |
TOTAL LIABILITIES | $737 | $972 |
NET ASSETS | 2023 | 2022 |
---|---|---|
Net Assets without Donor Restrictions | $2,502 | $3,150 |
Net Assets with Donor Restrictions | $2,202 | $1,647 |
TOTAL NET ASSETS | $4,704 | $4,769 |
TOTAL | 2023 | 2022 |
---|---|---|
TOTAL | $5,441 | $5,769 |
2023 EXPENSES BY CATEGORY
($ in thousands)
PyCon US - $1,800 (60.5%)
Grants - $677 (22.8%)
Packaging Work Group/Infrastructure/Other - $286 (9.6%)
Fiscal Sponsorees - $204 (6.9%)
Code of Conduct - $5 (0.2%)
Community Awards & Expenses - $1 (N/A)
PSF ASSET TRENDS FROM 2018-2023
($ in thousands)
PSF GRANT DISBURSEMENT FROM 2016-2023
($ in thousands)
PSF GRANT TRENDS FROM 2016-2023
($ in thousands)
TRENDLINE
In 2023, the grants program focused on virtual and in-person events. The PSF distributed $697K in grants in 2023, to 174 groups in 52 countries around the world.
We want to talk about Python and the Python community with you everywhere.
VISIT US AT PYTHON.ORGThe PSF is recognized by the IRS as a 501(c)(3) non-profit charitable organization in the United States. Want to collaborate on a grant or donate something that needs to go to charity? Get in touch with us, sponsors@python.org.