Python security releases usually require all Python release managers to be available due to each release stream being assigned to a specific release manager. This happens in multiple locations:
Documentation and schedule
GPG identities for artifacts
Sigstore identity of all artifacts
Windows and macOS artifacts built and signed by Experts
This makes security releases especially difficult to coordinate.
There's already history for release managers "filling in" for one another and fixing up things after the release is out (for example, 3.10.14 being done originally by @ambv and then resigned by @pablogsal later).
Making the release process not depend on specific release managers means releases are less of a burden on RMs while also setting solid long-term expectations for release artifact users.
Where are the friction points?
Where in the current process are the friction points around any release manager making a release?
Human identities
Human identities for signing (Sigstore and GPG).
Identities of all release managers need to be trusted due to it not being known which release manager would be signing the artifacts ahead of time.
Difficult to automate without injecting directly into the build process. Somewhat trivializes the "human" identity.
Sigstore doesn't offer an ergonomic solution to verify a human-identity signature against a list of trusted identities.
For GPG, it seems that most folks import all trusted keys before verifying but some folks are pinning the identity of the release manager per release stream (ref, ref)
If this changes, documentation and user expectations will need to change. Would require a gradual phase-out and an announcement.
Builds are not all automated
Windows is completely automated in Azure Pipelines, uses Steve's GPG key regardless of who kicks off the build.
Source and docs builds are partially automated, plan is to automate further to be similar to Windows.
macOS builds aren't automated yet, uses Ned's GPG key. Likely will use GitHub Actions for automation?
This doesn't require any user-facing documentation changes or announcements.
Potential changes
Here are a list of proposed changes towards solving the above problems. Not all of these changes need to be accepted to achieve the above outcome.
Continue offering Sigstore and GPG human identities for existing Python release streams.
Move towards Sigstore being the recommended integrity mechanism for CPython artifacts in GitHub Actions. Moving away from human identities to machine/workflow identities for Sigstore solves the human identity problems.
Decide a cut-off point (3.14?) to stop offering human identity Sigstore identities.
Deprecate GPG signatures for future releases? Shared GPG key for release manager team? Open to other suggestions.
Python security releases usually require all Python release managers to be available due to each release stream being assigned to a specific release manager. This happens in multiple locations:
This makes security releases especially difficult to coordinate.
There's already history for release managers "filling in" for one another and fixing up things after the release is out (for example, 3.10.14 being done originally by @ambv and then resigned by @pablogsal later).
Making the release process not depend on specific release managers means releases are less of a burden on RMs while also setting solid long-term expectations for release artifact users.
Where are the friction points?
Where in the current process are the friction points around any release manager making a release?
Human identities
If this changes, documentation and user expectations will need to change. Would require a gradual phase-out and an announcement.
Builds are not all automated
This doesn't require any user-facing documentation changes or announcements.
Potential changes
Here are a list of proposed changes towards solving the above problems. Not all of these changes need to be accepted to achieve the above outcome.
Further automating GitHub Actions builds is captured in https://github.com/python/release-tools/issues/108