Backport critical bugfixes?
Hi, What is the policy for "critical" bugfixes regarding to Python branches which only accept security fixes? I'm thinking at https://bugs.python.org/issue31095 "fix potential crash during GC". The bug was fixed in Python 3.5 while this change only accepted security fixes. Should we backport the fix to Python 3.3 and 3.4 as well? Victor
On Sep 28, 2017, at 10:44, Victor Stinner <victor.stinner@gmail.com> wrote:
The bug was fixed in Python 3.5 while this change only accepted security fixes. Should we backport the fix to Python 3.3 and 3.4 as well?
Larry can speak for 3.4 but 3.3 has reached end-of-life. No more fixes for it. -- Ned Deily nad@python.org -- []
On 29 September 2017 at 00:44, Victor Stinner <victor.stinner@gmail.com> wrote:
Hi,
What is the policy for "critical" bugfixes regarding to Python branches which only accept security fixes?
I'm thinking at https://bugs.python.org/issue31095 "fix potential crash during GC".
The bug was fixed in Python 3.5 while this change only accepted security fixes. Should we backport the fix to Python 3.3 and 3.4 as well?
Generally speaking, no, since we ship with known segfaults as a baseline state (even without accounting for ctypes), which means security policies around managing CPython deployments already need to take "It may segfault" into account. While I do think it would be nice to be able to change that policy and treat all new non-ctypes segfaults as security flaws, we'd need to work through the crashers list (see Lib/test/test_crashers.py) and resolve the already known segfaults first. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
participants (3)
-
Ned Deily
-
Nick Coghlan
-
Victor Stinner