[pypy-dev] time for a new release

Michał Górny mgorny at gentoo.org
Wed Sep 9 17:04:55 EDT 2020 

On Wed, 2020-09-09 at 12:41 +0300, Matti Picus wrote:
> On 9/9/20 9:55 AM, Michał Górny wrote:
> > On Tue, 2020-09-08 at 23:15 +0300, Matti Picus wrote:
> > > I have uploaded rc1 of pypy v7.3.2 to https://buildbot.pypy.org/pypy/ (note the trailing slash) which should be mirrored soon to https://downloads.python.org/pypy/
> > > 
> > > The hashes are here https://foss.heptapod.net/pypy/pypy.org/-/blob/branch/default/pages/download_advanced.rst#L465
> > > 
> > > The release note is here https://doc.pypy.org/en/latest/release-v7.3.2.html
> > > 
> > > This release does include a 3.7 alpha.
> > > 
> > > Please try them out, especially on windows (extra points for non-english interfaces and install paths) and macos (extra points for machines that run without homebrew stuff installed), to make sure you can run your project with them.
> > > 
> > > Any comments are welcome.
> > > 
> > What's the vulnerability status of stdlib?
> > 
> > I've tested pypy2.7 and pypy3.6 so far and neither seems to contain CVE-
> > 2019-20907 fix (it was never backported to py2.7), the patch from [1]
> > seems to apply cleanly to both.
> > 
> > pypy3.6 seems to be missing bpo-39603, and the patch from [2] doesn't
> > apply cleanly (does pypy3 contain outdated version or modified?).
> > 
> > CVE-2020-14422 is also unresolved.
> > 
> > Could you please either update stdlib of pypy3.6 or look through CPython
> > changes and backport the security fixes?  For pypy2.7, please backport
> > [1] directly since upstream is no longer maintaining that branch.
> > 
> > [1] https://github.com/python/cpython/commit/47a2955589bdb1a114d271496ff803ad73f954b8
> > [2] https://github.com/python/cpython/commit/f02de961b9f19a5db0ead56305fe0057a78787ae
> > 
> 
> Thanks for looking at this.We ship stdlib 2.7.13, 3.6.9, 3.7.4 with some 
> slight modifications, including backporting some fixes.
> 
> 
> I fixed CVE-2019-20907 for  pypy2.7, pypy3,6, and CVE-2020-14422 for 
> py3.6, 3.7
> 
> bpo-39603 is part of 3.6.12, 3.7.9 which were shipped 25 days ago, and that file has changed significantly since the versions we ship.
> 
> Updating the stdlib is a large undertaking, help welcome for py2.7 and 
> py3.7. I don't think it is worth the effort for py3.6.

Is this something to be done just before the release?  Would you accept
fixes rebased specifically on top of current pypy code?

Unless I'm mistaken, bpo-39603 should be trivial to fix.  I can submit
a merge request if you want.  However, it's so trivial it'd probably
take you less time to fix it yourself than me to recall how to use
mercurial again ;-).

-- 
Best regards,
Michał Górny

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: This is a digitally signed message part
URL: <http://mail.python.org/pipermail/pypy-dev/attachments/20200909/40a913d8/attachment.sig>

More information about the pypy-dev mailing list