If they're really all wontfix, maybe we should mark them as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature.

Godspeed, and may a flight of angels sing thee to thy rest,

/arry

On 08/20/2018 05:52 AM, Victor Stinner wrote:

> "shutil copy* unsafe on POSIX - they preserve setuid/setgit bits"
> https://bugs.python.org/issue17180

There is no fix. A fix may break the backward compatibility. Is it really worth it for the last 3.4 release?

> "XML vulnerabilities in Python"
> https://bugs.python.org/issue17239

Bug inactive since 2015. I don't expect that anyone will step in next weeks with a wonderful solution to all XML issues. I suggest to ignore this one as well, this issue is as old as XML support in Python and I am not aware of any victim of these issues.

Obviously, it would be "nice" to see a fix for these issues but it seems like core devs are more interested to work on other topics and other security issues.

> "fflush called on pointer to potentially closed file" (Windows only)
> https://bugs.python.org/issue19050

It seems like two core devs are opposed to fix this issue.

--

There are open security issues on the HTTP server and urllib. I am more concerned by these issues, but it's hard to fix them, there is a risk of introducing regressions.

Victor