How urllib3 maintainer Seth Larson streamlined the release process

Seth Larson has a history of adopting unmaintained open source libraries. It’s not that he seeks out orphaned packages—it’s usually because an abandoned library touches a project he’s working on, and the package owner is happy to hand off maintenance to him.

There are security concerns with just handing off a package to a stranger, of course, but because Seth is the lead maintainer of much-depended-upon Python project urllib3, an HTTP client for Python, it’s easy to verify he isn’t a security threat.

Seth has been working on urllib3 since 2016 when the previous lead maintainer Cory Benfield noticed Seth’s work on a smaller project and suggested Seth contribute to the Python Hyper project. This led him to urllib3, of which he became lead maintainer in 2019.

Streamlining the release process

Seth has worked hard since he became lead maintainer to organize releases in a way that won’t break anything for the millions of projects depending on urllib3. The release process used to be all manual, and even Seth, probably the most qualified person to update a new release, was super anxious about breaking something.

It’s no longer manual now—they decided the solution was to limit human intervention as much as possible in the release process. This means anyone, even someone who isn’t a contributor, can start a release candidate. Once there’s a candidate, integration tests are executed from their CI  before publishing the package to PyPI. It’s all automatically driven and takes minutes now, rather than hours of anxiety.

There's always a flip side, though. The ease of release makes urllib3 a high-value target for malicious actors, which is why Seth uses a hardware key or two-factor authentication to protect his Google, GitHub, and PyPI accounts and requires approval from either himself or urllib3’s author, Andrey, on files that control releases via GitHub Code Owners.

Finding work-life balance

Seth officially maintains 60 projects in the Python index, many of which are small projects where he fixed one or two things. Luckily, urllib3 is very stable due to its widespread adoption and many past contributions. Even better, the company he works for as his day job, Elastic, allows him to contribute improvements to projects like urllib3 that are related to his daily work.

Working full-time in addition to maintaining many open source projects can lead to a blurred work-life balance, something he struggled with in 2019.

“I honestly have a hard time figuring out life-work boundaries,” Seth said. “Like, I sign off work and spend a few more hours looking at GitHub.”

Being able to help people through his work on open source makes the extra effort worth it for Seth, though. As of this writing, urllib3 is just shy of 2 billion downloads, the 6th most downloaded project on PyPI. 

“Any day, I just look at the number of downloads, it blows my mind how many people this is helping every time there’s a new release,” Seth said. “I see this number and I think that millions of people’s lives have been improved and all I did was click a button.”

--

Seth Larson maintains urllib3 through the Tidelift Subscription, providing commercial support and maintenance for the hugely popular Python project. If you’re interested in learning more about the Tidelift Subscription and the benefits of managed open source, check out the 451 Research Pathfinder Report: Managed open source.