Time for 3.4.9 and 3.5.6
My six-month cadence means it's time for the next releases of 3.4 and 3.5. There haven't been many changes since the last releases--two, to be exact. These two security fixes were backported to both 3.4 and 3.5: * bpo-32981: Fix catastrophic backtracking vulns (GH-5955) * bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) 3.5 also got some doc-only changes related to the online "version switcher" dropdown. (They weren't backported to 3.4 because we don't list 3.4 in the version switcher dropdown anymore.) There are currently no PRs open for either 3.4 or 3.5, and they also have no open "release blocker" or "deferred blocker" bugs. It seems things are pretty quiet in our two security-fixes-only branches--a good way to be! I therefore propose to cut the RCs in a week and a half, and the finals two weeks later. So: Wednesday July 18 2018 - 3.4.9rc1 and 3.5.6rc1 Wednesday August 1 2018 - 3.4.9 final and 3.5.6 final If anybody needs more time I'm totally happy to accommodate them--you can probably have all the time you need. I'm trying to keep to my rough six-month cadence, but honestly that's pretty arbitrary. Thanks to all of you who keep making 3.4 and 3.5 better, //arry/
I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes). If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense -- if something can't be built, it can't be used. On 08.07.2018 10:45, Larry Hastings wrote:
My six-month cadence means it's time for the next releases of 3.4 and 3.5. There haven't been many changes since the last releases--two, to be exact. These two security fixes were backported to both 3.4 and 3.5:
* bpo-32981: Fix catastrophic backtracking vulns (GH-5955) * bpo-33001: Prevent buffer overrun in os.symlink (GH-5989)
3.5 also got some doc-only changes related to the online "version switcher" dropdown. (They weren't backported to 3.4 because we don't list 3.4 in the version switcher dropdown anymore.)
There are currently no PRs open for either 3.4 or 3.5, and they also have no open "release blocker" or "deferred blocker" bugs. It seems things are pretty quiet in our two security-fixes-only branches--a good way to be!
I therefore propose to cut the RCs in a week and a half, and the finals two weeks later. So:
Wednesday July 18 2018 - 3.4.9rc1 and 3.5.6rc1 Wednesday August 1 2018 - 3.4.9 final and 3.5.6 final
If anybody needs more time I'm totally happy to accommodate them--you can probably have all the time you need. I'm trying to keep to my rough six-month cadence, but honestly that's pretty arbitrary.
Thanks to all of you who keep making 3.4 and 3.5 better,
//arry/
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/vano%40mail.mipt.ru
Hi, [Larry]
3.5 also got some doc-only changes related to the online "version switcher" dropdown.
About this I have a question: the switchers for english version of 3.4 and 3.5 are disabled (https://docs.python.org/3.5/) but not disabled for translations (https://docs.python.org/fr/3.5/). I don't see any mention of dropping them in PEP 101, and I don't think it's a good thing (UX point of view). Should I re-enable version and language switchers on 3.5? I think so and I can do, just give me the go (or the argument/pointers on why it's disabled). Bests, -- Julien Palard https://mdk.fr
On Jul 8, 2018, at 14:23, Julien Palard via Python-Dev
[Larry]
3.5 also got some doc-only changes related to the online "version switcher" dropdown.
About this I have a question: the switchers for english version of 3.4 and 3.5 are disabled (https://docs.python.org/3.5/) but not disabled for translations (https://docs.python.org/fr/3.5/). I don't see any mention of dropping them in PEP 101, and I don't think it's a good thing (UX point of view).
Should I re-enable version and language switchers on 3.5? I think so and I can do, just give me the go (or the argument/pointers on why it's disabled).
I'm not Larry but I believe the reason that the switchers are missing on the on-line versions of 3.4 and 3.5 docs is that we release managers manually build and update the doc sets for release branches that are in security-fix-only mode (and that have been taken out of the automatic docs-build script) and we're not clever enough to know to build them with the switchers enabled. If we can document that in our release process, that would be cool. -- Ned Deily nad@python.org -- []
On 07/08/2018 10:05 AM, Ivan Pozdeev via Python-Dev wrote:
I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes).
If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense -- if something can't be built, it can't be used.
By "3.4 build is broken", you mean that building the installer is broken on Windows. Sadly the maintainer of that installer is no longer part of the Python community, and as a Linux-only dev I have no way of testing any proposed change. More importantly, 3.4 is in security-fixes-only mode, which means that changes that aren't security fixes won't be accepted. Fixing this would not be a security fix. So even if the patch was clean and well-reviewed and worked perfectly I'm simply not going to merge it into 3.4. The 3.4 tree is only going to be in security-fixes mode for another eight months anyway, after which I will retire as 3.4 release manager, and 3.4 will no longer be supported by the Python core development community at all. As pointed out in that bpo issue: if the problem is entirely due to switching from "git" to "hg", then you should have very little difficulty working around that. You can use a git-to-hg bridge, or create a local-only hg repo from the 3.4 tree. That should permit you to build your own installers. I'm a little sad that the 3.4 Windows installers no longer build directly out-of-tree without such a workaround, but sometimes that's just what happens with a Python release three major releases out of date languishing in security-fixes-only mode. //arry/
On 07/08/2018 11:50 AM, Ned Deily wrote:
On Jul 8, 2018, at 14:23, Julien Palard via Python-Dev
wrote: [Larry]
3.5 also got some doc-only changes related to the online "version switcher" dropdown. About this I have a question: the switchers for english version of 3.4 and 3.5 are disabled (https://docs.python.org/3.5/) but not disabled for translations (https://docs.python.org/fr/3.5/). I don't see any mention of dropping them in PEP 101, and I don't think it's a good thing (UX point of view).
Should I re-enable version and language switchers on 3.5? I think so and I can do, just give me the go (or the argument/pointers on why it's disabled). I'm not Larry but I believe the reason that the switchers are missing on the on-line versions of 3.4 and 3.5 docs is that we release managers manually build and update the doc sets for release branches that are in security-fix-only mode (and that have been taken out of the automatic docs-build script) and we're not clever enough to know to build them with the switchers enabled. If we can document that in our release process, that would be cool.
Yes, exactly! The place to document the process would be PEP 101. (Or, if you wanted to volunteer to handle building and deploying the online docs /for/ the RMs, that works too!) I know there's an automated system that rebuilds the docs on a regular (daily? hourly?) basis for certain versions. I suspect the RMs all have login credentials for the machine where that happens. If you could make it so we could manually kick off a doc rebuild for a specific version (and tell us how to do it) that would be perfect! //arry/
On 09.07.2018 1:32, Larry Hastings wrote:
On 07/08/2018 10:05 AM, Ivan Pozdeev via Python-Dev wrote:
I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes).
If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense -- if something can't be built, it can't be used.
By "3.4 build is broken", you mean that building the installer is broken on Windows. Sadly the maintainer of that installer is no longer part of the Python community, and as a Linux-only dev I have no way of testing any proposed change.
Not only that, building the binaries is also broken as per https://bugs.python.org/issue31645 (that's one of the aforementioned "supplemental fixes").
More importantly, 3.4 is in security-fixes-only mode, which means that changes that aren't security fixes won't be accepted. Fixing this would not be a security fix. So even if the patch was clean and well-reviewed and worked perfectly I'm simply not going to merge it into 3.4. The 3.4 tree is only going to be in security-fixes mode for another eight months anyway, after which I will retire as 3.4 release manager, and 3.4 will no longer be supported by the Python core development community at all.
I kinda don't see a point of claiming any kind of support and doing any work if the codebase is unusable. All that achieves is confused users and wasted time for everyone involved. If you "a Linux-only dev" and no-one is going to look at the Windows part, why not just say clearly that this version line is not supported outside Linux? I'm okay with that (what is and isn't supported is none of my business). At least, there won't be a nasty surprise when I rely on the team's claim that the code is workable, and it actually isn't -- and another one when I go for the trouble to provide a fix, and is told that I'm a troublemaker and has just massively wasted my and everybody else's time as a thanks. Besides, that'll be a reason to officially close all still-open tickets for 3.4/3.5 (there are about 2000 that are mentioning them) regardless of the topic (I've checked that none are currently marked as security issues).
As pointed out in that bpo issue: if the problem is entirely due to switching from "git" to "hg", then you should have very little difficulty working around that. You can use a git-to-hg bridge, or create a local-only hg repo from the 3.4 tree. That should permit you to build your own installers. I'm a little sad that the 3.4 Windows installers no longer build directly out-of-tree without such a workaround, but sometimes that's just what happens with a Python release three major releases out of date languishing in security-fixes-only mode.
//arry/
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/vano%40mail.mipt.ru
On 7/8/2018 1:05 PM, Ivan Pozdeev via Python-Dev wrote:
I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes).
If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense
Another wild exaggeration that inhibits me, and I suspect others, from attending to your legitimate issue.
-- if something can't be built, it can't be used.
but 3.4 source security releases can be built and used on *nix. What is true is that we do not currently support building new releases on XP. We never did for 3.5, and can no longer test for 3.4. Partly as a consequence, we are not currently supporting (updating scripts for) building 3.4 on Windows. But Windows is not all systems.
On 08.07.2018 10:45, Larry Hastings wrote:
My six-month cadence means it's time for the next releases of 3.4 and 3.5. There haven't been many changes since the last releases--two, to be exact. These two security fixes were backported to both 3.4 and 3.5:
* bpo-32981: Fix catastrophic backtracking vulns (GH-5955) * bpo-33001: Prevent buffer overrun in os.symlink (GH-5989)
3.5 also got some doc-only changes related to the online "version switcher" dropdown. (They weren't backported to 3.4 because we don't list 3.4 in the version switcher dropdown anymore.)
There are currently no PRs open for either 3.4 or 3.5,
I verified that https://bugs.python.org/issue31623 is open and marked for 3.4 and has been so since last September. Unless you think there is plausible chance that it might be applied before the end, I think you should reject and close it now. That said, searching for open 3.4 issues returns 1617 items, almost none of which are even possibly applicable. You cannot even begin to wade thru and fix the headers. Adding type 'security' gives 8 hits, none of which are the 2 above. 4 have patches attached, which need to be turned into PRs to proceed. You might look at these 4.
and they also have no open "release blocker" or "deferred blocker" bugs.
It seems things are pretty quiet in our two security-fixes-only branches--a good way to be!
I therefore propose to cut the RCs in a week and a half, and the finals two weeks later. So:
Wednesday July 18 2018 - 3.4.9rc1 and 3.5.6rc1 Wednesday August 1 2018 - 3.4.9 final and 3.5.6 final
I presume that this will be the last before the wrap-up next March. -- Terry Jan Reedy
On 7/8/2018 8:35 PM, Terry Reedy wrote:
On 7/8/2018 1:05 PM, Ivan Pozdeev via Python-Dev wrote:
I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes).
If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense
Another wild exaggeration that inhibits me, and I suspect others, from attending to your legitimate issue.
Yes, thanks for writing this, Terry. Given Ivan's previous behavior on his "Drop/deprecate Tkinter?" thread, and combined with this thread, I'm unlikely to spend my free time on his particular issue here. Eric
On Sun, Jul 8, 2018, 18:30 Eric V. Smith,
On 7/8/2018 8:35 PM, Terry Reedy wrote:
On 7/8/2018 1:05 PM, Ivan Pozdeev via Python-Dev wrote:
I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes).
If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense
Another wild exaggeration that inhibits me, and I suspect others, from attending to your legitimate issue.
Yes, thanks for writing this, Terry. Given Ivan's previous behavior on his "Drop/deprecate Tkinter?" thread, and combined with this thread, I'm unlikely to spend my free time on his particular issue here.
Ditto for this specific issue and in general. People forget that we are doing all of this as a kindness for the community since most of us probably don't benefit from another 3.4 release, so any negativity is at best treated with indifference and at worst as de-motivating to any effort into open source (I know for me I'm definitely no longer in the mood to spend my free time on open source today if this is how people are going to treat my hard, volunteer work). -Brett
Eric _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/brett%40python.org
On 2018-07-08, 22:32 GMT, Larry Hastings wrote:
More importantly, 3.4 is in security-fixes-only mode, which means that changes that aren't security fixes won't be accepted.
So, why isn’t https://bugs.python.org/issue31623 closed as WONTFIX (or whatever is the equivalent in b.p.o)? If we don't close our bugs, we surely will drown in them even more. Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Give your heartache to him. (1Pt 5,7; Mt 11:28-30)
participants (8)
-
Brett Cannon
-
Eric V. Smith
-
Ivan Pozdeev
-
Julien Palard
-
Larry Hastings
-
Matěj Cepl
-
Ned Deily
-
Terry Reedy