PyCA cryptography 3.0 released

2020-07-20 Thread Paul Kehrer 
PyCA cryptography 3.0 has been released to PyPI. cryptography includes
both high level recipes and low level interfaces to common
cryptographic algorithms such as symmetric ciphers, asymmetric
algorithms, message digests, X509, key derivation functions, and much
more. We support Python 2.7, Python 3.5+, and PyPy.

Changelog (https://cryptography.io/en/latest/changelog/#v3-0):
* BACKWARDS INCOMPATIBLE: Removed support for passing an Extension
instance to from_issuer_subject_key_identifier(), as per our
deprecation policy.
* BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0
has been removed (2.9.1+ is still supported).
* BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.9, macOS users
must upgrade to 10.10 or newer.
* BACKWARDS INCOMPATIBLE: RSA generate_private_key() no longer accepts
public_exponent values except 65537 and 3 (the latter for legacy
purposes).
* BACKWARDS INCOMPATIBLE: X.509 certificate parsing now enforces that
the version field contains a valid value, rather than deferring this
check until version is accessed.
* Deprecated support for Python 2. At the time there is no time table
for actually dropping support, however we strongly encourage all users
to upgrade their Python, as Python 2 no longer receives support from
the Python core team.
* Added support for OpenSSH serialization format for ec, ed25519, rsa
and dsa private keys: load_ssh_private_key() for loading and OpenSSH
for writing.
* Added support for OpenSSH certificates to load_ssh_public_key().
* Added encrypt_at_time() and decrypt_at_time() to Fernet.
* Added support for the SubjectInformationAccess X.509 extension.
* Added support for parsing SignedCertificateTimestamps in OCSP responses.
* Added support for parsing attributes in certificate signing requests
viaget_attribute_for_oid().
* Added support for encoding attributes in certificate signing
requests via add_attribute().
* On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s
built-in CSPRNG instead of its own OS random engine because these
versions of OpenSSL properly reseed on fork.
* Added initial support for creating PKCS12 files with
serialize_key_and_certificates().

-Paul Kehrer (reaperhulk)
___
Python-announce-list mailing list -- python-announce-list@python.org
To unsubscribe send an email to python-announce-list-le...@python.org
https://mail.python.org/mailman3/lists/python-announce-list.python.org/
Member address: arch...@mail-archive.com

[RELEASE] Python 3.8.5 released as a security hotfix. 3.9.0b5, the last beta before 3.9.0, also available

2020-07-20 Thread Łukasz Langa 
This is a combined release of Python 3.8.5 and 3.9.0b5. Both are significant 
but for different reasons. Let’s dig in!

Security content in 3.8.5

We decided to release 3.8.5 ahead of schedule due to a number of 
security-related fixes. All details can be found in the change log 
 but 
the gist is:

CVE-2019-20907 : infinite loop in a 
maliciously created .tar file
BPO-41288 : segmentation fault during 
unpickling of objects using a crafted NEWOBJ_EX opcode
BPO-39603 : HTTP headers could be injected 
through a maliciously crafter method parameter in http.client
the original fix for CVE-2020-15801 caused a regression in 3.8.4 (see: 
BPO-41304 )
A small number of other urgent regression fixes and quality-of-life 
improvements are also present in the release. Get the release here:

https://www.python.org/downloads/release/python-385/ 


Maintenance releases for the 3.8 series will continue at the regular bi-monthly 
calendar, with 3.8.6 planned for mid-September 2020.
The last beta of Python 3.9.0 now also available

Python 3.9 is still in development. This release, 3.9.0b5, is the last of five 
planned beta release previews. Beta release previews are intended to give the 
wider community the opportunity to test new features and bug fixes and to 
prepare their projects to support the new feature release. You can get 3.9.0b5 
here:

https://www.python.org/downloads/release/python-390b5/ 


The next pre-release, the first release candidate of Python 3.9.0, will be 
3.9.0rc1. It is currently scheduled for 2020-08-10.
Call to action

We strongly encourage maintainers of third-party Python projects to test with 
3.9 during the beta phase and report issues found to the Python bug tracker 
 as soon as possible. While the release is planned to 
be feature complete entering the beta phase, it is possible that features may 
be modified or, in rare cases, deleted up until the start of the release 
candidate phase (2020-08-10). Our goal is have no ABI changes after beta 5 and 
as few code changes as possible after 3.9.0rc1, the first release candidate. To 
achieve that, it will be extremely important to get as much exposure for 3.9 as 
possible during the beta phase.

Please keep in mind that this is a preview release and its use is not 
recommended for production environments.

A reminder for core developers

To help make Python 3.9.0 the best possible release, our Development Cycle 
 section of the 
Python Developer’s Guide documents that:

A branch preparing for an RC release can only have bugfixes applied that have 
been reviewed by other core developers. Generally, these issues must be severe 
enough (e.g. crashes) that they deserve fixing before the final release. All 
other issues should be deferred to the next development cycle, since stability 
is the strongest concern at this point.

You cannot skip the peer review during an RC, no matter how small! Even if it 
is a simple copy-and-paste change, everything requires peer review from a core 
developer.

Major new features of the 3.9 series, compared to 3.8

Some of the new major new features and changes in Python 3.9 are:

PEP 584 , Union Operators in dict

PEP 585 , Type Hinting Generics In 
Standard Collections

PEP 593 , Flexible function and 
variable annotations

PEP 602 , Python adopts a stable 
annual release cadence

PEP 615 , Support for the IANA Time 
Zone Database in the Standard Library

PEP 616 , String methods to remove 
prefixes and suffixes

PEP 617 , New PEG parser for CPython

BPO 38379 , garbage collection does not 
block on resurrected objects;

BPO 38692 , os.pidfd_open added that allows 
process management without races and signals;

BPO 39926 , Unicode support updated to 
version 13.0.0;

BPO 1635741 , when Python is initialized 
multiple times in the same process, it does not leak memory anymore;

A number of Python builtins (range, tuple, set, frozenset, list, dict) are now 
sped up using PEP 590  vectorcall;

A number of Python modules (_abc, audioop, _bz2, _codecs, _contextvars, _crypt, 
_functools, _json, _locale, operator, resource, time, _weakref)

EuroPython 2020: Introducing our Diamond Sponsor Bloomberg

2020-07-20 Thread M.-A. Lemburg 
We are very pleased to have Bloomberg as Diamond Sponsor for EuroPython
2020. Without sponsors like Bloomberg, we wouldn't be able to make the
event affordable.

You will be able to visit their sponsor exhibit rooms and take the
opportunity to chat with their staff to learn more about the large
Python eco-system they have built internally and how they are
collaborating with the Python community.

Please read a hosted blog post from Bloomberg on our blog with full
detail:

https://blog.europython.eu/post/624164489818980352/europython-2020-introducing-our-diamond-sponsor


Help spread the word


Please help us spread this message by sharing it on your social networks
as widely as possible. Thank you !

Link to the blog post:

https://blog.europython.eu/post/624164489818980352/europython-2020-introducing-our-diamond-sponsor

Tweet:

https://twitter.com/europython/status/1285198014060154882

Thanks,
--
EuroPython 2020 Team
https://ep2020.europython.eu/
https://www.europython-society.org/
___
Python-announce-list mailing list -- python-announce-list@python.org
To unsubscribe send an email to python-announce-list-le...@python.org
https://mail.python.org/mailman3/lists/python-announce-list.python.org/
Member address: arch...@mail-archive.com