Thanks for raising this — I came to the same conclusion after reading PEP 619.
Since security-only releases stop shipping precompiled Windows binaries after three years, tools like winget are stuck on older patch versions (e.g., 3.10.9 instead of 3.10.19), even though newer security fixes exist.

It would be great if the Windows package feed could provide the latest patched builds. As I see it, we have two possible approaches:

Build Python ourselves via a Winget pipeline so that the official Winget package always tracks the latest security patch.

Use the community-maintained builds like the ones in adang1345/PythonWindows — assuming the trust and reproducibility aspects can be verified.

Do you think it would be feasible for the Python Windows maintainers to ship these security-patch binaries, or support an automated pipeline? Even unofficial builds in Winget would already improve security for many users.

Short Response (English)

Your observation about PEP-0619 causing winget to lag on security-patched Python versions (e.g., 3.10.19 vs. 3.10.9) is spot on. Here’s a quick take on your options and feasibility:

1. Custom winget compilation pipelines: Most reliable/secure (you control builds from official Python source) but requires upfront CI/CD setup (e.g., GitHub Actions) and ongoing maintenance (handling Windows build tools, patch updates). This is absolutely feasible for serving security-patched versions (you can publish to official winget-pkgs or a custom feed).

2. Using adang1345/PythonWindows: Faster shortcut but high trust/sustainability risks—you must verify the repo uses unmodified official source, has auditable build logs, and updates binaries consistently. Third-party precompiles carry system-level security risks.

In short: Serving security-patched Python via winget is possible—custom pipelines are the safest path, while the third-party repo is only viable if fully audited.