[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] Time for 3.4.9 and 3.5.6

On 7/8/2018 1:05 PM, Ivan Pozdeev via Python-Dev wrote:
> I'll use this opportunity to remind you that 3.4 build is broken -- it 
> can't be built from start to installer with the instructions given 
> because of outside factors (CPython has migrated from Hg to Git). 
> https://bugs.python.org/issue31623 about this was ignored (see 
> https://bugs.python.org/issue31623#msg303708 for supplemental fixes).
> If this isn't something considered needing a fix, the claim that 3.4 is 
> supported in any shape and form is but a pretense

Another wild exaggeration that inhibits me, and I suspect others, from 
attending to your legitimate issue.

> -- if something can't be built, it can't be used.

but 3.4 source security releases can be built and used on *nix.

What is true is that we do not currently support building new releases 
on XP.  We never did for 3.5, and can no longer test for 3.4.  Partly as 
a consequence, we are not currently supporting (updating scripts for) 
building 3.4 on Windows.  But Windows is not all systems.

> On 08.07.2018 10:45, Larry Hastings wrote:
>> My six-month cadence means it's time for the next releases of 3.4 and 
>> 3.5.? There haven't been many changes since the last releases--two, to 
>> be exact.? These two security fixes were backported to both 3.4 and 3.5:
>>   * bpo-32981: Fix catastrophic backtracking vulns (GH-5955)
>>   * bpo-33001: Prevent buffer overrun in os.symlink (GH-5989)
>> 3.5 also got some doc-only changes related to the online "version 
>> switcher" dropdown.? (They weren't backported to 3.4 because we don't 
>> list 3.4 in the version switcher dropdown anymore.)
>> There are currently no PRs open for either 3.4 or 3.5,

I verified that https://bugs.python.org/issue31623 is open and marked 
for 3.4 and has been so since last September.  Unless you think there is 
plausible chance that it might be applied before the end, I think you 
should reject and close it now.

That said, searching for open 3.4 issues returns 1617 items, almost none 
of which are even possibly applicable.  You cannot even begin to wade 
thru and fix the headers.

Adding type 'security' gives 8 hits, none of which are the 2 above.  4 
have patches attached, which need to be turned into PRs to proceed.  You 
might look at these 4.

>> and they also 
>> have no open "release blocker" or "deferred blocker" bugs.

>> It seems 
>> things are pretty quiet in our two security-fixes-only branches--a 
>> good way to be!
>> I therefore propose to cut the RCs in a week and a half, and the 
>> finals two weeks later.? So:
>>     Wednesday? July 18 2018 - 3.4.9rc1 and 3.5.6rc1
>>     Wednesday August 1 2018 - 3.4.9 final and 3.5.6 final

I presume that this will be the last before the wrap-up next March.

Terry Jan Reedy