Some binaries are also stored in https://github.com/python/cpython-bin-deps, though generally they should also have sources in the source-deps repo. Is this distinction important here?

Do any of the cpython-bin-deps get shipped along with the CPython artifacts? If they're derived from the cpython-source-deps repository I think we should be okay.

I think the only one that isn't derived from cpython-source-deps is vcruntime140.dll, which comes from our repo to make sure we always get the latest one and not whichever GHA build machine we're on.

Maybe worth noting that this can only be done by a core committer, and we don't accept PRs for it (because we need to verify the sources have come from the right source and are unmodified, and our trust boundary for this is "has the commit bit").

Also might be worth noting that sometimes there's a build step involved and the core committer will then push a tag to cpython-bin-deps that will actually be used in the build. Tcl/Tk, libffi and OpenSSL are all in this group.

In practice for contributors, what this usually means is that they should post an issue requesting the updated version, wait for a core dev to say the tags are ready, and then the contributor can continue with the following steps.

I've addressed this comment in b32b691. Do you think we should cover the cpython-bin-deps part here as well?

Not in the same note, but it ought to be documented somewhere. At the very least, we should mention the cpython-bin-deps repo at least once so that someone reading this knows to look there.

Would be helpful to clarify where the libraries variable is.

This is still unclear.