Python 2.5.3: call for patches
Within a few weeks, we will release Python 2.5.3. This will be the last bug fix release of Python 2.5, afterwards, future releases of 2.5 will only include security fixes, and no binaries (for Windows or OSX) will be provided anymore (from python.org). In principle, the release will include all changes that are already on the release25-maint branch in subversion [1]. If you think that specific changes should be considered, please create an issue in the bug tracker [2], and label it with the 2.5.3 version. Backports of changes that are already released in Python 2.6 but may apply to 2.5 are of particular interest. Regards, Martin [1] http://svn.python.org/projects/python/branches/release25-maint/ [2] http://bugs.python.org/
On Tue, Oct 07, 2008, "Martin v. L?wis" wrote:
In principle, the release will include all changes that are already on the release25-maint branch in subversion [1]. If you think that specific changes should be considered, please create an issue in the bug tracker [2], and label it with the 2.5.3 version. Backports of changes that are already released in Python 2.6 but may apply to 2.5 are of particular interest.
Just to emphasize this, "changes" means "bugfixes". (I'm mentioning this mainly because of the people who joined for 2.6/3.0.) For more info, see PEP6 about bugfix releases: http://www.python.org/dev/peps/pep-0006/ -- Aahz (aahz@pythoncraft.com) <*> http://www.pythoncraft.com/ "...if I were on life-support, I'd rather have it run by a Gameboy than a Windows box." --Cliff Wells, comp.lang.python, 3/13/2002
Just to emphasize this, "changes" means "bugfixes". (I'm mentioning this mainly because of the people who joined for 2.6/3.0.) For more info, see PEP6 about bugfix releases: http://www.python.org/dev/peps/pep-0006/
Thanks for clarifying this. For the last 2.5.x release in particular, we will strictly enforce the "no new features" policy; users interested in new features should switch to 2.6. Regards, Martin
Allow me to suggest that these get some attention: http://bugs.python.org/issue3677 http://bugs.python.org/issue3367 Kristján
Martin v. Löwis wrote:
Just to emphasize this, "changes" means "bugfixes". (I'm mentioning this mainly because of the people who joined for 2.6/3.0.) For more info, see PEP6 about bugfix releases: http://www.python.org/dev/peps/pep-0006/
Thanks for clarifying this. For the last 2.5.x release in particular, we will strictly enforce the "no new features" policy; users interested in new features should switch to 2.6.
May I suggest http://bugs.python.org/issue1040026 ? It has a fairly simple patch (posixmodule.diff), a new test (test_posix5.PATCH), and it fixes a bug that makes os.times unusable on common platforms. Malte
May I suggest http://bugs.python.org/issue1040026 ?
It has a fairly simple patch (posixmodule.diff), a new test (test_posix5.PATCH), and it fixes a bug that makes os.times unusable on common platforms.
In the current form, I'm skeptical about applying this patch to 2.5.2. It has the possibility of breaking compilation; such patches are unacceptable. See my comments for details. Regards, Martin
Martin v. Löwis wrote:
May I suggest http://bugs.python.org/issue1040026 ?
It has a fairly simple patch (posixmodule.diff), a new test (test_posix5.PATCH), and it fixes a bug that makes os.times unusable on common platforms.
In the current form, I'm skeptical about applying this patch to 2.5.2.
It has the possibility of breaking compilation; such patches are unacceptable. See my comments for details.
OK, these should be easy to address. (Comments in the tracker.) Malte
On Tue, Oct 07, 2008 at 09:27:24AM +0200, "Martin v. Löwis" wrote:
Within a few weeks, we will release Python 2.5.3. This will be the last bug fix release of Python 2.5, afterwards, future releases of 2.5 will only include security fixes, and no binaries (for Windows or OSX) will be provided anymore (from python.org).
I'm going to the library this evening, and can make my task looking through the 2.5->2.6 log for candidates. I won't do anything in Roundup just yet, but I'll put the list in the wiki or post it here, and then we can cut the list down further before creating any new issues (or re-opening old ones) in Roundup. --amk
Martin, -On [20081007 09:27], "Martin v. Löwis" (martin@v.loewis.de) wrote:
Within a few weeks, we will release Python 2.5.3. This will be the last bug fix release of Python 2.5, afterwards, future releases of 2.5 will only include security fixes, and no binaries (for Windows or OSX) will be provided anymore (from python.org).
Since we tripped over these with Trac/Genshi we would appreciate if the following could be applied (if not already): http://bugs.python.org/issue2231 http://bugs.python.org/issue2246 (http://bugs.python.org/issue2321 seems to be in 2.5 already based on the last comment) -- Jeroen Ruigrok van der Werven <asmodai(-at-)in-nomine.org> / asmodai イェルーン ラウフロック ヴァン デル ウェルヴェン http://www.in-nomine.org/ | http://www.rangaku.org/ | GPG: 2EAC625B Ignorance is the opportunity to learn...
yOn Mon, Oct 20, 2008 at 11:57:36AM +0200, Jeroen Ruigrok van der Werven wrote:
This fixes a memory leak in itertools.chain(), which was greatly changed between 2.5 and 2.6, and the patch was to code not present in 2.5. Are you sure this bug affected 2.5 at all?
Already backported to 2.5 in rev. 61287.
(http://bugs.python.org/issue2321 seems to be in 2.5 already
Correct; rev. 61485. --amk
-On [20081020 19:07], A.M. Kuchling (amk@amk.ca) wrote:
This fixes a memory leak in itertools.chain(), which was greatly changed between 2.5 and 2.6, and the patch was to code not present in 2.5. Are you sure this bug affected 2.5 at all?
No, my mind was caught up between versions, so Raymond's closing the issue is the logical thing to do. Apologies for wasting those few minutes. -- Jeroen Ruigrok van der Werven <asmodai(-at-)in-nomine.org> / asmodai イェルーン ラウフロック ヴァン デル ウェルヴェン http://www.in-nomine.org/ | http://www.rangaku.org/ | GPG: 2EAC625B Nothing is more honorable than enlightenment, nothing is more beautiful than virtue...
Martin v. Löwis schrieb:
Within a few weeks, we will release Python 2.5.3. This will be the last bug fix release of Python 2.5, afterwards, future releases of 2.5 will only include security fixes, and no binaries (for Windows or OSX) will be provided anymore (from python.org).
In principle, the release will include all changes that are already on the release25-maint branch in subversion [1]. If you think that specific changes should be considered, please create an issue in the bug tracker [2], and label it with the 2.5.3 version. Backports of changes that are already released in Python 2.6 but may apply to 2.5 are of particular interest.
I would like to apply fixes for some CVE's which are addressed in 2.5 but not yet in 2.4. this would include CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-2315 CVE-2008-3144 CVE-2008-1887 CVE-2008-4864 Matthias
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Matthias Klose wrote:
Martin v. Löwis schrieb:
Within a few weeks, we will release Python 2.5.3. This will be the last bug fix release of Python 2.5, afterwards, future releases of 2.5 will only include security fixes, and no binaries (for Windows or OSX) will be provided anymore (from python.org).
In principle, the release will include all changes that are already on the release25-maint branch in subversion [1]. If you think that specific changes should be considered, please create an issue in the bug tracker [2], and label it with the 2.5.3 version. Backports of changes that are already released in Python 2.6 but may apply to 2.5 are of particular interest.
I would like to apply fixes for some CVE's which are addressed in 2.5 but not yet in 2.4. this would include
CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-2315 CVE-2008-3144 CVE-2008-1887 CVE-2008-4864
+1 from a non-core developer who still has to keep sites using 2.4 up and running. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJGboU+gerLs4ltQ4RAmdLAJ9VDv8GpnhnNYI9tK0Sn9ClAbzg/wCbBxDD aKXYjnK50Cbeb8fp/QL/kaE= =cUE7 -----END PGP SIGNATURE-----
I would like to apply fixes for some CVE's which are addressed in 2.5 but not yet in 2.4. this would include
CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-2315 CVE-2008-3144 CVE-2008-1887 CVE-2008-4864
Can you identify the revisions that would need backporting? I could only find (trunk revisions) CVE-2007-4965: r65880 CVE-2008-1721: r62235, issue2586 CVE-2008-3144: issue2588, issue2589, r63734, r63728. CVE-2008-1887: issue2587, r62261, r62271 CVE-2008-4864: r66689 So what about CVE-2008-1679: claimed to be issue1179 in the CVE, but that says it fixes CVE-2007-4965 only? CVE-2008-2315 In principle, this is fine with me, so go ahead. Regards, Martin
Martin v. Löwis schrieb:
I would like to apply fixes for some CVE's which are addressed in 2.5 but not yet in 2.4. this would include
CVE-2007-4965 CVE-2008-1679 CVE-2008-1721 CVE-2008-2315 CVE-2008-3144 CVE-2008-1887 CVE-2008-4864
Can you identify the revisions that would need backporting?
I could only find (trunk revisions) CVE-2007-4965: r65880 CVE-2008-1721: r62235, issue2586 CVE-2008-3144: issue2588, issue2589, r63734, r63728. CVE-2008-1887: issue2587, r62261, r62271 CVE-2008-4864: r66689
So what about
CVE-2008-1679: claimed to be issue1179 in the CVE, but that says it fixes CVE-2007-4965 only?
the original fix for CVE-2007-4965 did miss two chunks, which are included in r65878 on the 2.5 branch.
CVE-2008-2315
this is r65334 on the 2.5 branch and r65335 on the trunk: Security patches from Apple: prevent int overflow when allocating memory this was already checked in, with an added NEWS item in 2.4.5. Moved this to 2.4.6.
In principle, this is fine with me, so go ahead.
Done.
participants (8)
-
"Martin v. Löwis" -
A.M. Kuchling -
Aahz -
Jeroen Ruigrok van der Werven -
Kristján Valur Jónsson -
Malte Helmert -
Matthias Klose -
Tres Seaver