[WARNING] Some users who downloaded the Python 3.5.8 .xz tarball got the wrong version
Larry Hastings
larry at hastings.org
Wed Oct 30 19:17:49 EDT 2019
Due to awkward CDN caching, some users who downloaded the source code
tarballs of Python 3.5.8 got a preliminary version instead of the final
version. As best as we can tell, this only affects the .xz release;
there are no known instances of users downloading an incorrect version
of the .tgz file.
If you downloaded "Python-3.5.8.tar.xz" during the first twelve hours of
its release, you might be affected. It's easy to determine this for
yourself. The file size (15,382,140 bytes) and MD5 checksum
(4464517ed6044bca4fc78ea9ed086c36) published on the release page have
always matched the correct version. Also, the GPG signature file will
only report a "Good signature" for the correct .xz file (using "gpg
--verify").
What's the difference between the two? The only difference is that the
final version also merges a fix for Python issue tracker #38243:
https://bugs.python.org/issue38243
The fix adds a call to "html.escape" at a judicious spot, line 896 in
Lib/xmlrpc/server.py. The only other changes are one new test, to
ensure this new code is working, and an entry in the NEWS file. You can
see the complete list of changes here:
https://github.com/python/cpython/pull/16516/files
What should you do? It's up to you.
* If you and your users aren't using the XMLRPC library built in to
Python, you don't need to worry about which version of 3.5.8 you
downloaded.
* If you downloaded the .tgz tarball or the Git repo, you already have
the correct version.
* If you downloaded the xz file and want to make sure you have the
fix, check the MD5 sum, and if it's wrong download a fresh copy (and
make sure that one matches the known good MD5 sum!).
To smooth over this whole sordid mess, I plan to make a 3.5.9 release in
the next day or so. It'll be identical to the 3.5.8 release; its only
purpose is to ensure that all users have the same updated source code,
including the fix for #38243.
Sorry for the mess, everybody,
//arry/
More information about the Python-list
mailing list