PSF Meeting Minutes for Sept. 10, 2025
Title: 2025-09-10 PSF Board Meeting Minutes Encoding: utf-8 Author: psf at python.org Content-Type: text/x-rst
The Python Software Foundation
Minutes of a Regular Meeting of the Board of Directors
September 10, 2025
A regular meeting of the Python Software Foundation ("PSF") Board of Directors was held over Group Conference Call via phone and Internet Relay Chat/Slack beginning at 13:00 UTC, on September 10, 2025. Phyllis Dobbs took notes/minutes.
All votes are reported in the form "Y-N-A" (in favor-Y‚opposed-N‚abstentions-A; e.g. "5-1-2" means "5 in favor, 1 opposed, and 2 abstentions").
- 1 Attendance
- 2 Minutes of Past Meetings
- 3 Board and Staff Monthly Reports for September 2025
- 3.1 Deb Nicholson
- 3.2 Oliva Sauls
- 3.3 Laura Graves
- 3.4 Ee Durbin
- 3.5 Phyllis Dobbs
- 3.6 Loren Crary
- 3.7 Marie Nordin
- 3.8 Seth Larson
- 3.9 Mike Fiedler
- 3.10 Jaime Barrera
- 3.11 Jacob Coffee
- 3.12 Maria Ashna
- 3.13 Dawn Wages
- 3.14 Denny Perez
- 3.15 Cristián Maureira-Fredes
- 3.16 Simon Willison
- 3.17 Jannis Leidel
- 3.18 Kushal Das
- 3.19 Georgi Ker
- 3.20 KwonHan Bae
- 3.21 Tania Allard
- 3.22 Cheuk Ting Ho
- 3.23 Chris Neugebauer
- 4 Work Group Reports
- 5 PSF Board Votes Approved by Email
- 6 Votes Approved by Working Groups
- 7 Consent Agenda Resolutions
- 8 New Business
- 9 Discussions
1 Attendance
The following members of the Board of Directors (8 of 12) were present at the meeting: Cristián Maureira-Fredes, KwonHan Bae, Jannis Leidel, Denny Perez, Deb Nicholson, Georgi Ker, Simon Willison. Dawn Wages joined that meeting at 13:49 UTC.
Ee Durbin (Director of Infrastructure), Phyllis Dobbs (Controller), Loren Crary (Director of Resource Development), Seth Larson (Python Security Developer in Residence), and Jaime Barrera (Community Events Coordinator).
2 Minutes of Past Meetings
Minutes from prior meeting August 13, 2025:
RESOLVED, that the Python Software Foundation approve the minutes at https://mail.python.org/archives/list/psf-important@python.org/thread/JSWRVJPYZK7Q6F33SL5TIWAAKP5AKD33/ as representing a true and accurate record of the August 13, 2025 meeting.
Approved, 7-0-0
Minutes from prior special meeting September 2, 2025:
RESOLVED, that the Python Software Foundation approve the minutes at https://docs.google.com/document/d/1aBwEuCrWvVjpXjdzvhyqb-KNqTyt1jpbeHIMH5VG9rg/edit?usp=sharing as representing a true and accurate record of the September 2, 2025 meeting.
Approved, 7-0-0
3 Board and Staff Monthly Reports for September 2025
3.1 Deb Nicholson
- Helped run Board Election
- Respond to minor legal issues
- Discuss Python and AI with several stakeholders
- Mid-year budget discussions
- Fundraising planning conversations
- General admin and staff management duties
- Prepare to attend Open Source Congress and PyCon UK
3.2 Oliva Sauls
September report not provided.
3.3 Laura Graves
- Ongoing accounting activities
- Grants
- Supplemental grants office hours related to emergency funding stop
- Discussions with staff regarding how meetup and fiscal sponsoree grants are affected by emergency funding stop
- Meeting with Grants Work Group regarding emergency funding stop
- PyCon US
- Updating documentation for travel grant program for 2026
- Fiscal Sponsorship
- Status meeting with PyMNtos
- Human Resources
- Meeting with Health Equity to get the FSA set up again
- Training: Preventing Workplace Harassment - Fundamentals Office 2025
3.4 Ee Durbin
September report not provided.
3.5 Phyllis Dobbs
September report not provided.
3.6 Loren Crary
September report not provided.
3.7 Marie Nordin
- PTO
- Grants Program
- Communications around pause
- Gathering feedback through office hours, meetings, etc
- Started work on ‘Community Partner’ program
- Elections
- Communications
- Coordination
- Working with ARM on PSF Case Study
- End-of-year Fundraiser Kick Off
- Supporting sponsor prospectus work
- Miscellaneous communications & PR response
3.8 Seth Larson
- White paper on "Unmasking Phantom Dependencies: Software Bill-of-Materails for Python packages" was published to Alpha-Omega and the Python Software Foundation blogs.
- Published coordinated advisory for uv and Python Package Index rejecting ZIP archives that could abuse ZIP implementation differentials.
- Published "The vulnerability might be in the proof-of-concept" blog post informing open source security teams about a common approach that reporters use to convince teams that there's a vulnerability in a project: by submitting insecure code in the proof-of-concept.
- Responded to reports that Python Software Foundation certificates had been used to sign malware. Audited release process for Windows but turns out the reports were not correct, the malware was signed but the signatures weren't correct, therefore the certificates were not leaked.
- Working on follow-up from the certificate misrevocation to document a more consistent process to avoid future misrevocations.
- Met with GitHub Security product team to discuss GitHub Security Advisories feature improvements.
- Support for Software Bill-of-Materials (PEP 770) generation has finally been merged into auditwheel. Once released, this will mean many projects will begin generating SBOM documents automatically without further updates.
- Documented existing security-related practices and open standards that CPython implements as a part of submission for the Digital Public Goods registry.
- Published Truststore v0.10.4 which fixed a thread-safety issue when configuring a shared SSLContext. Updated pip and PDM.
- Handled reports to the Python Security Response Team
3.9 Mike Fiedler
- Malware Response
- During August, PyPI received over 200 inbound malware reports. The automated quarantine system continued to function without false positives, demonstrating its utility and improving trust in the reporters.
- Mike enhanced PyPI Admin capabilities by implementing a "quarantine all for user" feature and adding an admin page for quarantine management, streamlining the response process when dealing with accounts creating multiple malicious packages.
- Account Safety & Domain Resurrection Prevention
- Building on July's work, Mike completed significant improvements to prevent domain resurrection attacks. The system disabled approximately 2,000 accounts with expired email domains, continuing the cleanup effort from previous months.
- Mike published a comprehensive blog post on domain resurrection prevention, explaining PyPI's approach to this security threat. This garnered interest on social/news sites, with roughly 5,000 pageviews since publication. The implementation now prevents password resets for accounts with unverified email addresses from expired domains, closing a potential account takeover vector.
- Additionally, Mike implemented an admin sent email lookup feature to better track email delivery issues, and authored specifications for email suppression list management for future admin use.
- Security Infrastructure Improvements
- Mike worked with the team to address several security concerns:
- Collaborated with Seth Larson to deliver a ZIP confusion attack prevention PR
- Reviewed and assisted with the tarfile vulnerability fix (CVE-2025-8194)
- Proposed a 2FA brute force limiter to prevent authentication slow-roll attacks, per the Authentication section of OpenSSF Principles for Package Repository Security
- Authored data validation improvement for Admin views
- Triaged & closed old issue on use of md5 checksums
- Mike also began a conversation on potential integration with VirusTotal, discussing use of their CodeInsights feature for automated malware detection.
- Mike worked with the team to address several security concerns:
- Community Engagement
- Attended Alpha-Omega public meeting focused on threat modeling
- Participated in the OpenSSF Securing Software Repositories monthly meeting, sharing insights on domain resurrection attacks
- Met with the AWS Python SDK team to provide feedback on their plans for their SDK projects
- Attended the PSF Board Meeting on August 13th
- Responded to pre-PEP conversation on OIDC endpoint discovery
- Triaged broken blog RSS behavior, submitted patch to fix plugin upstream
- Other Items
- Upgraded PyPI to Python 3.13.7 runtime
- Investigated an OIDC endpoint performance issue
- Achieved 100% coverage of tests code in warehouse
- Added unreachable code detection for warehouse
- Fixed missing routes for template views
- Updated Node.js version to latest
- Reviewed code for Org-level account limits
- Reviewed code for PEP 792 Status Markers in API and blog post
- Set development container names for easier identification
- Surface release counts in Admin UI on project details
- Proposed a structured logging approach for PyPI activity logs, pending infrastructure implementations
- Addressed org rename whitespace issues and other admin UI improvements
- Scaled down inspector services after confirming WAF challenges are working effectively
- Completed annual staff review and provided upwards feedback
- PTO
3.10 Jaime Barrera
September report not provided.
3.11 Jacob Coffee
September report not provided.
3.12 Maria Ashna
September report not provided.
3.13 Dawn Wages
- PSF: Some board office hours
- PSF: Board executive meeting
- PSF: PyCon Africa fundraising live stream
- COMMUNITY: DjangoCon US short Python update
- COMMUNITY: EuroSciP
3.14 Denny Perez
- PSF: Board Office Hours
- PSF: PyConUS committee meeting
- PSF: Board meetings and Slack discussions
- PSF: Advocacy Focus initiative, interview People from PSF & socials about elections
- PSF: PyLadiesCon: Organizer Team, Managing sponsors and communications.
- PSF: Mentored Python Chile community members on navigating the election process.
- Community - PyCon Latam: managing sponsors' socials, report after event
- Community - Python Chile: Managing sponsorship team, socials, CFP PyCon 2025
- Community - PyLadies Montreal: Organizing new team. Call for speakers meetup
- Community - Pyladies En Español: Translating and creating PyLadies Con blog posts into Spanish
- Community - PyCascades: Organizers meeting, social media outreach coordination
3.15 Cristián Maureira-Fredes
- PSF - Meetings, Office hours and discussions
- PSF - Board elections video campaign
- Community - PyLadiesCon: GSoC catch-up meetings and infrastructure tasks, besides the weekly meetings.
- Community - EuroPython: conference stats works continues, finalizing the initial website and adding more data. Discussion on the new community discord server.
- Community - PyCon Greece: Attending, giving a talk, and a lightning talk about the PSF
3.16 Simon Willison
- PSF: Board Office Hours
- PSF: board discussions
- PSF: attended board meeting and special meeting
3.17 Jannis Leidel
September report not provided.
3.18 Kushal Das
September report not provided.
3.19 Georgi Ker
- PSF: Board Office Hours
- PSF: PyLadiesCon: Organizer
- Community: Attended Open Source Summit Europe.
- Community: Attended PyLadies Amsterdam
3.20 KwonHan Bae
- PSF: Board Office Hours
- PSF - participated in board discussions via Slack and email
- PSF - attended board meeting
- COMMUNITY : Python Docs Translate related some tasks
- COMMUNITY : vLLM KR Organize
- COMMUNITY : Python Asia Organize
- COMMUNITY : PyCon KR Organize
- COMMUNITY : Python Asia Organize
- COMMUNITY : Preparing Visit PyCon TW, JP
3.21 Tania Allard
- PSF: Participated in board discussions and EC meetings
- PSF: CoC-WG participation in meetings and discussions
- COMMUNITY: PyLadies global council meetings, discussions, and handover actions
- COMMUNITY: Preparation and attendance of the CPython core team sprint
- COMMUNITY: Regular ongoing maintenance work
3.22 Cheuk Ting Ho
- [PSF] Help preparing PSF board election
- [PSF] WGs: conduct, grants and education WG
- [PSF] Office hours
- [community] speaking at EuroSciPy, PyCon Greece, PyCon Taiwan
- [community] support Friends of PyCon Africa livestream
3.23 Chris Neugebauer
September report not provided.
4 Work Group Reports
4.1 Code of Conduct
- Nothing to report at this time.
4.2 Grants
- Nothing to report at this time.
4.3 Sponsors
- Nothing to report at this time.
4.4 Marketing
- Nothing to report at this time.
4.5 Jobs
- Of the 499 Job submissions created in September 2025:
- 146 have status approved
- 3 have status archived
- 10 have status draft
- 148 have status expired
- 99 have status rejected
- 83 have status removed
- 10 have status review
4.6 Trademarks
- Nothing to report
4.7 Fellows
- Nothing to report
4.8 Packaging
- Nothing to report
4.9 Infrastructure
- Nothing to report
4.10 Scientific Python
- Nothing to report
4.11 Diversity & Inclusion Work Group
- Nothing to report
5 PSF Board Votes Approved by Email
- None at this time.
6 Votes Approved by Working Groups
6.1 Grants
- None at this time.
6.2 Sponsors
- None at this time.
6.3 Scientific Python
- None at this time.
7 Consent Agenda Resolutions
- None at this time.
8 New Business
- None at this time.
9 Discussions
- The board discussed an update on the ongoing Board Elections.
- The board discussed an update regarding PyPI orgs.
- The board discussed starting consultative meetings of the PSF board and the Python Steering Council.
- The board reviewed committees and officer positions and discussed officer elections and board orientation and training.
- The board discussed updates from the D&I Work Group and the User Experience Work Group.
- The board discussed the Finance/Investment Committee and current quorum issues.
- The board discussed an update on the current Grants Program pause.
- The board discussed communication around the developer survey and "state of Python 2025" blog post.
Meeting adjourned at 14:49 UTC