[pypy-dev] time for a new release
Michał Górny
mgorny at gentoo.org
Thu Sep 10 07:08:34 EDT 2020
On Thu, 2020-09-10 at 14:00 +0300, Matti Picus wrote:
> On 9/10/20 1:45 PM, Michał Górny wrote:
> > So far I and the Fedora maintainer were able to independently backport
> > one vulnerability that clearly applied (the tarfile one) but we weren't
> > able to get a clear match of any other Python 3.x fixes to 2.7 codebase.
> > Well, until today when thanks to you I've noticed that http.request
> > code has a vulnerable match in httplib.
> >
> > But this all is lots of work, and I'm really supposed to be doing
> > something else right now. I'm trying my best but I'm not sure if I can
> > manage to fix several months of negligence in two days.
>
> Thanks for all you are doing. The release deadline is only a motivator
> for now since we could do another much smaller release next month if needed.
>
> I want to move toward python3.7 as soon as possible since the scientific
> python stack's stated python version policy means 3.6 will no longer be
> expressly supported especially after 3.9 comes out.
>
I wholeheartedly support that. Gentoo has switched to Python 3.7 by
default already, and it sucks that the only version of PyPy3 is behind
that. That said, have you considered going straight to 3.8? In my
experience, the switch from 3.7 to 3.8 was far less painful than from
3.6 to 3.7, so it might be less work to skip 3.7 entirely.
--
Best regards,
Michał Górny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: This is a digitally signed message part
URL: <http://mail.python.org/pipermail/pypy-dev/attachments/20200910/ee67a68e/attachment-0001.sig>
More information about the pypy-dev
mailing list