<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
We of the core dev community commit to supporting Python releases
for five years. Releases get eighteen months of active bug fixes,
followed by three and a half years of security fixes. Python 3.4
turns 5 next March--at which point we'll stop supporting it, and
I'll retire as 3.4 release manager.<br>
<br>
My plan is to make one final release on or around its fifth birthday
containing the last round of security fixes. That's about seven
months from now. Nothing has been merged since the releases of
3.4.9 and 3.5.6 last week, and there are no open PRs against either
of those releases.<br>
<br>
But! There are still a couple languishing "critical" bugs:<br>
<blockquote>"shutil copy* unsafe on POSIX - they preserve
setuid/setgit bits"<br>
<a class="moz-txt-link-freetext"
href="https://bugs.python.org/issue17180">https://bugs.python.org/issue17180</a><br>
<br>
"XML vulnerabilities in Python"<br>
<a class="moz-txt-link-freetext"
href="https://bugs.python.org/issue17239">https://bugs.python.org/issue17239</a><br>
<br>
"fflush called on pointer to potentially closed file" (Windows
only) <br>
<a class="moz-txt-link-freetext"
href="https://bugs.python.org/issue19050">https://bugs.python.org/issue19050</a></blockquote>
It'd be nice to resolve all those issues, one way or another, before
we retire 3.4.<br>
<br>
<br>
See you next March,<br>
<br>
<br>
<i>/arry</i><br>
</body>
</html>