[Python-Dev] 3.7.1 and 3.6.7 Releases Coming Soon

Ned Deily nad at python.org
Fri Sep 21 09:08:52 EDT 2018

On Sep 21, 2018, at 05:37, Christian Heimes <christian at python.org> wrote:
> On 19/09/2018 23.12, Ned Deily wrote:
>> Update: not surprisingly, there have been a number of issues that have popped up during and since the sprint that we would like to ensure are addressed in 3.7.1 and 3.6.7.  In order to do so, I've been holding off on starting the releases. I think we are now getting close to having the important ones resolved so I'm going to plan on cutting off code for 3.7.1rc1 and 3.6.7rc1 by the end of 2018-09-20 (23:59 AoE).  That's roughly 38 hours from now.
> I'm really sorry, but would it be possible to delay the RCs until Sunday
> or Monday AoE?
> Some of the XML security fixes, OpenSSL 1.1.1 fixes (TLS 1.3
> post-handshake authentication), and SSL module regression haven't landed
> yet. I'm confident that I can land most to all fixes during the weekend.
> Related PRs are:
> * https://github.com/python/cpython/pull/9468
> * https://github.com/python/cpython/pull/9460
> * https://github.com/python/cpython/pull/9217
> * https://github.com/python/cpython/pull/9265
> I'm also still collaborating with Sebastian Pipping (libexpat
> maintainer) on the DoS mitigations (CVE-2013-0340). My initial patch had
> some flaws. I might be able to get expat release 2.3.0 in time, too.
> https://github.com/libexpat/libexpat/pull/220

I agree that it would be good to get the security-related and OpenSSL-related fixes in sooner than later and there has been a lot going on recently.  Since you have asked so nicely, I have rescheduled the cutoffs for 3.7.1rc1 and 3.6.7rc1 to be by the end of 2018-09-24 (23:59 AoE) and the final releases now on 2018-10-04.

Everyone else: here are a few more days to get important things in to these releases.

  Ned Deily
  nad at python.org -- []

More information about the Python-Dev mailing list