On 5/28/2020 5:20 PM, Peter J. Holzer wrote:
On 2020-05-23 13:22:26 -0600, Mats Wichmann wrote:
On 5/23/20 12:23 AM, Adam Preble wrote:
I wanted to update from 3.6.8 on Windows without necessarily moving
on to 3.7+ (yet), so I thought I'd try 3.6.9 or 3.6.10.
All I see for both are source archives:
During the early part of a release cycle, installers are built.
Only for Windows and now for macOS. Python.org only ever distributes
source archives for *nix. Distributors can add binaries to their
package system.
Once
the cycle moves into security fix-only mode, installers are not built.
We continue to apply security fixes for the benefit of server operators
who are slow to upgrade and who want minimal change -- only those that
they really need. We make security-fix releases primarily for the
benefit of *nix distributors who want to update their x.y package, but
not for every x.y commit. It also give a periodic new name for Python
x.y with a new batch of fixes.
This seems a rather odd policy to me.
Not if one considers the intended users.
Do you prefer we not make these releases?
Anyone running servers on Windows should have Visual Studio and git
installed as they should be able to compile their own binaries. Anyone
with control of their machine (so that they can download and install
things) can install VS and git with the instructions in
devguide.python.org. At that point, clone python/cpython and run
PCbuild\build.bat -e (to build external dependencies) and maybe add
other options, and python(_d).exe will appear in PCbuild\win32.
Distributing a security fix in
source-only form will prevent many people from applying it (especially
on Windows).
Nearly all bug fixes considered to be security risk fixes are first
applied to master (the 'next' version), then maintenance versions, which
do get installers, and only then to old security-fix versions. The
latter take extra effort as they are less likely to automatically
backport, and on Windows, older versions run on more Windows versions.
The OP is so far choosing to not use an installer with those fixes. By
not doing so, he is missing out on the maybe 2000 non-security fixes and
some enhancements that likely would benefit him more than maybe 50
mostly obscure fixes added between 3.6.8 and 3.6.10*. If a rare user
such as Adam also chooses to not compile the latter, that is his choice.
*In the last 12 months, the ratio of fixed security issues to all fixed
issues is 51/2087 = 2.4%, and for 5 years, 112/7825 = 1.4%. There are
68 open security issues, some of which will be closed other than as 'fixed'.
Source only releases only block Windows/Mac users who choose not to
upgrade to a released installer and who cannot or choose not to compile.
--
Terry Jan Reedy
--
https://mail.python.org/mailman/listinfo/python-list
