We of the core dev community commit to supporting Python releases for five years. Releases get eighteen months of active bug fixes, followed by three and a half years of security fixes. Python 3.4 turns 5 next March--at which point we'll stop supporting it, and I'll retire as 3.4 release manager.
My plan is to make one final release on or around its fifth birthday containing the last round of security fixes. That's about seven months from now. Nothing has been merged since the releases of 3.4.9 and 3.5.6 last week, and there are no open PRs against either of those releases.
But! There are still a couple languishing "critical" bugs:
"shutil copy* unsafe on POSIX - they preserve setuid/setgit bits"
https://bugs.python.org/issue17180
"XML vulnerabilities in Python"
https://bugs.python.org/issue17239
"fflush called on pointer to potentially closed file" (Windows only)
https://bugs.python.org/issue19050It'd be nice to resolve all those issues, one way or another, before we retire 3.4.
See you next March,
//arry/
Le 13/08/2018 à 11:49, Larry Hastings a écrit :
We of the core dev community commit to supporting Python releases for five years. Releases get eighteen months of active bug fixes, followed by three and a half years of security fixes. Python 3.4 turns 5 next March--at which point we'll stop supporting it, and I'll retire as 3.4 release manager.
My plan is to make one final release on or around its fifth birthday containing the last round of security fixes. That's about seven months from now. Nothing has been merged since the releases of 3.4.9 and 3.5.6 last week, and there are no open PRs against either of those releases.
But! There are still a couple languishing "critical" bugs:
"shutil copy* unsafe on POSIX - they preserve setuid/setgit bits" https://bugs.python.org/issue17180 "XML vulnerabilities in Python" https://bugs.python.org/issue17239 "fflush called on pointer to potentially closed file" (Windows only) https://bugs.python.org/issue19050It'd be nice to resolve all those issues, one way or another, before we retire 3.4.
So that 3.4 dies in good health?
Regards
Antoine.
“So that 3.4 dies in good health?”
More like getting all its evil deeds off its chest on the death bed, I think :)
Top-posted from my Windows 10 phone
From: Antoine Pitrou Sent: Monday, 13 August 2018 2:59 To: Larry Hastings; python-committers; Python-Dev Subject: Re: [python-committers] Winding down 3.4
Le 13/08/2018 à 11:49, Larry Hastings a écrit :
We of the core dev community commit to supporting Python releases for five years. Releases get eighteen months of active bug fixes, followed by three and a half years of security fixes. Python 3.4 turns 5 next March--at which point we'll stop supporting it, and I'll retire as 3.4 release manager.
My plan is to make one final release on or around its fifth birthday containing the last round of security fixes. That's about seven months from now. Nothing has been merged since the releases of 3.4.9 and 3.5.6 last week, and there are no open PRs against either of those releases.
But! There are still a couple languishing "critical" bugs:
"shutil copy* unsafe on POSIX - they preserve setuid/setgit bits" https://bugs.python.org/issue17180 "XML vulnerabilities in Python" https://bugs.python.org/issue17239 "fflush called on pointer to potentially closed file" (Windows only) https://bugs.python.org/issue19050It'd be nice to resolve all those issues, one way or another, before we retire 3.4.
So that 3.4 dies in good health?
Regards
Antoine.
python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
"shutil copy* unsafe on POSIX - they preserve setuid/setgit bits" https://bugs.python.org/issue17180
There is no fix. A fix may break the backward compatibility. Is it really worth it for the last 3.4 release?
"XML vulnerabilities in Python" https://bugs.python.org/issue17239
Bug inactive since 2015. I don't expect that anyone will step in next weeks with a wonderful solution to all XML issues. I suggest to ignore this one as well, this issue is as old as XML support in Python and I am not aware of any victim of these issues.
Obviously, it would be "nice" to see a fix for these issues but it seems like core devs are more interested to work on other topics and other security issues.
"fflush called on pointer to potentially closed file" (Windows only) https://bugs.python.org/issue19050
It seems like two core devs are opposed to fix this issue.
--
There are open security issues on the HTTP server and urllib. I am more concerned by these issues, but it's hard to fix them, there is a risk of introducing regressions.
Victor
If they're really all wontfix, maybe we should mark them as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature.
Godspeed, and may a flight of angels sing thee to thy rest,
//arry/
On 08/20/2018 05:52 AM, Victor Stinner wrote:
"shutil copy* unsafe on POSIX - they preserve setuid/setgit bits" https://bugs.python.org/issue17180
There is no fix. A fix may break the backward compatibility. Is it really worth it for the last 3.4 release?
"XML vulnerabilities in Python" https://bugs.python.org/issue17239
Bug inactive since 2015. I don't expect that anyone will step in next weeks with a wonderful solution to all XML issues. I suggest to ignore this one as well, this issue is as old as XML support in Python and I am not aware of any victim of these issues.
Obviously, it would be "nice" to see a fix for these issues but it seems like core devs are more interested to work on other topics and other security issues.
"fflush called on pointer to potentially closed file" (Windows only) https://bugs.python.org/issue19050
It seems like two core devs are opposed to fix this issue.
--
There are open security issues on the HTTP server and urllib. I am more concerned by these issues, but it's hard to fix them, there is a risk of introducing regressions.
Victor
participants (4)
-
Antoine Pitrou -
Larry Hastings -
Steve Dower -
Victor Stinner