Some binaries are also stored inhttps://github.com/python/cpython-bin-deps, though generally they should also have sources in the source-deps repo. Is this distinction important here?

Do any of the cpython-bin-deps get shipped along with the CPython artifacts? If they're derived from the cpython-source-deps repository I think we should be okay.

I think the only one that isn't derived fromcpython-source-deps isvcruntime140.dll, which comes from our repo to make sure we always get the latest one and not whichever GHA build machine we're on.

Maybe worth noting that this can only be done by a core committer, and we don't accept PRs for it (because we need to verify the sources have come from the right source and are unmodified, and our trust boundary for this is "has the commit bit").

Also might be worth noting that sometimes there's a build step involved and the core committer will then push a tag tocpython-bin-deps that will actually be used in the build. Tcl/Tk, libffi and OpenSSL are all in this group.

In practice for contributors, what this usually means is that they should post an issue requesting the updated version, wait for a core dev to say the tags are ready, and then the contributor can continue with the following steps.

I've addressed this comment inb32b691. Do you think we should cover the cpython-bin-deps part here as well?

Not in the same note, but it ought to be documented somewhere. At the very least, we should mention thecpython-bin-deps repo at least once so that someone reading this knows to look there.

Would be helpful to clarify where thelibraries variable is.

This is still unclear.