[Python-Dev] [WARNING] Some users who downloaded the Python 3.5.8 .xz tarball got the wrong version
Michael
aixtools at felt.demon.nl
Thu Oct 31 08:30:46 EDT 2019
On 31/10/2019 00:17, Larry Hastings wrote:
>
>
> Due to awkward CDN caching, some users who downloaded the source code
> tarballs of Python 3.5.8 got a preliminary version instead of the
> final version. As best as we can tell, this only affects the .xz
> release; there are no known instances of users downloading an
> incorrect version of the .tgz file.
>
> If you downloaded "Python-3.5.8.tar.xz" during the first twelve hours
> of its release, you might be affected. It's easy to determine this
> for yourself. The file size (15,382,140 bytes) and MD5 checksum
> (4464517ed6044bca4fc78ea9ed086c36) published on the release page have
> always matched the correct version. Also, the GPG signature file will
> only report a "Good signature" for the correct .xz file (using "gpg
> --verify").
>
> What's the difference between the two? The only difference is that
> the final version also merges a fix for Python issue tracker #38243:
>
> https://bugs.python.org/issue38243
>
> The fix adds a call to "html.escape" at a judicious spot, line 896 in
> Lib/xmlrpc/server.py. The only other changes are one new test, to
> ensure this new code is working, and an entry in the NEWS file. You
> can see the complete list of changes here:
>
> https://github.com/python/cpython/pull/16516/files
>
> What should you do? It's up to you.
>
> * If you and your users aren't using the XMLRPC library built in to
> Python, you don't need to worry about which version of 3.5.8 you
> downloaded.
> * If you downloaded the .tgz tarball or the Git repo, you already
> have the correct version.
> * If you downloaded the xz file and want to make sure you have the
> fix, check the MD5 sum, and if it's wrong download a fresh copy
> (and make sure that one matches the known good MD5 sum!).
>
> To smooth over this whole sordid mess, I plan to make a 3.5.9 release
> in the next day or so. It'll be identical to the 3.5.8 release; its
> only purpose is to ensure that all users have the same updated source
> code, including the fix for #38243.
>
>
> Sorry for the mess, everybody,
>
a) "Congratulations" on the 3.5.8 release
b) excellent solution - to up the release number!
c) Thanks!!
>
> //arry/
>
>
> _______________________________________________
> Python-Dev mailing list -- python-dev at python.org
> To unsubscribe send an email to python-dev-leave at python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/
> Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/OYNQS2BZYABXACBRHBHV4RCEPQU5R6EP/
> Code of Conduct: http://python.org/psf/codeofconduct/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20191031/89c842f4/attachment.sig>
More information about the Python-list
mailing list