The Evolution of Python Packaging and Security

What is the best way to record the Python dependencies for the reproducibility of your projects? What advantages will lock files provide for those projects? This week on the show, we welcome back Python Core Developer Brett Cannon to discuss his journey to bring PEP 751 and the pylock.toml file format to the community.

Brett has been working on a way to move beyond the requirements.txt file for over six years. He was on the show previously to discuss his work on PEP 665, which was rejected. He decided to continue to push forward, authoring PEP 751 last year, which was accepted at the end of March this year.

The PEP calls for a new file format to record your project’s dependencies. The goal was to have a standardized immutable record for what should be installed to reproduce your project in a virtual environment. He discusses working with other packaging projects and the compromises involved in creating a standard.

Topics:

• 00:00:00 – Introduction
• 00:02:38 – Brett’s roles within the Python community
• 00:05:41 – How to move beyond requirement.txt?
• 00:10:58 – What does the community use as project artifacts?
• 00:15:28 – Building on the success of pyproject.toml
• 00:17:44 – Introducing PEP 665
• 00:19:49 – Software Bills of Materials and security
• 00:25:20 – Back to lock files and security
• 00:31:08 – Video Course Spotlight
• 00:32:27 – Not giving up on the idea
• 00:34:01 – Leading into PEP 751
• 00:38:54 – Working toward a single multi-platform file
• 00:43:02 – The final push
• 00:48:54 – Leaving room for flexibility
• 00:53:50 – And it’s done, PEP 751 accepted unconditionally
• 00:58:06 – Keynote speaker at EuroPython 2025
• 00:58:45 – What are uv workspaces?
• 01:01:02 – Considering the use of lock files in data science
• 01:05:23 – Updates about Python for WASI and Emscripten
• 01:13:51 – Clarification on WASI
• 01:20:28 – Future conversation about Python launcher
• 01:23:04 – What are you excited about in the world of Python?
• 01:24:25 – What do you want to learn next?
• 01:28:41 – What’s the best way to follow your work online?
• 01:31:00 – Thanks and goodbye

Show Links:

• Tall, Snarky Canadian
• BREAKING: Guido van Rossum Returns as Python’s BDFL - YouTube
• Python Packaging User Guide
• PEP 751 – A file format to record Python dependencies for installation reproducibility
• PEP 665 – A file format to list Python dependencies for reproducibility of an application
• pylock.toml Specification - Python Packaging User Guide
• Inline script metadata - Python Packaging User Guide
• PEP 723 – Inline script metadata
• Using workspaces - uv
• Do you have a flag? - Eddie Izzard - YouTube
• OpenBLAS : An optimized BLAS library
• EuroPython 2025 - July 14 to 20, 2025 - Prague, Czech Republic & Remote
• Bytecode Alliance
• Recent conversations - Bytecode Alliance - Zulip
• My impressions of Gleam
• My impressions of ReScript
• Python on Exercism
• Brett Cannon’s Films - Letterboxd
• Media I Like - Open Source by Brett Cannon
• Brett Cannon (@snarky.ca) — Bluesky
• Brett Cannon (@brettcannon@fosstodon.org) - Fosstodon

Level up your Python skills with our expert-led courses:

• Python Basics Exercises: Installing Packages With pip
• Everyday Project Packaging With pyproject.toml
• Using the Python subprocess Module

Support the podcast & join our community of Pythonistas