Re: [Python-Dev] Time for 3.4.9 and 3.5.6
On 2018-07-08, 22:32 GMT, Larry Hastings wrote: > More importantly, 3.4 is in security-fixes-only mode, which > means that changes that aren't security fixes won't be > accepted. So, why isn’t https://bugs.python.org/issue31623 closed as WONTFIX (or whatever is the equivalent in b.p.o)? If we don't close our bugs, we surely will drown in them even more. Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mc...@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Give your heartache to him. (1Pt 5,7; Mt 11:28-30) ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Time for 3.4.9 and 3.5.6
On Sun, Jul 8, 2018, 18:30 Eric V. Smith, wrote: > On 7/8/2018 8:35 PM, Terry Reedy wrote: > > On 7/8/2018 1:05 PM, Ivan Pozdeev via Python-Dev wrote: > >> I'll use this opportunity to remind you that 3.4 build is broken -- it > >> can't be built from start to installer with the instructions given > >> because of outside factors (CPython has migrated from Hg to Git). > >> https://bugs.python.org/issue31623 about this was ignored (see > >> https://bugs.python.org/issue31623#msg303708 for supplemental fixes). > >> > >> If this isn't something considered needing a fix, the claim that 3.4 > >> is supported in any shape and form is but a pretense > > > > Another wild exaggeration that inhibits me, and I suspect others, from > > attending to your legitimate issue. > > Yes, thanks for writing this, Terry. Given Ivan's previous behavior on > his "Drop/deprecate Tkinter?" thread, and combined with this thread, I'm > unlikely to spend my free time on his particular issue here. > Ditto for this specific issue and in general. People forget that we are doing all of this as a kindness for the community since most of us probably don't benefit from another 3.4 release, so any negativity is at best treated with indifference and at worst as de-motivating to any effort into open source (I know for me I'm definitely no longer in the mood to spend my free time on open source today if this is how people are going to treat my hard, volunteer work). -Brett > Eric > ___ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/brett%40python.org > ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Time for 3.4.9 and 3.5.6
On 7/8/2018 8:35 PM, Terry Reedy wrote: On 7/8/2018 1:05 PM, Ivan Pozdeev via Python-Dev wrote: I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes). If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense Another wild exaggeration that inhibits me, and I suspect others, from attending to your legitimate issue. Yes, thanks for writing this, Terry. Given Ivan's previous behavior on his "Drop/deprecate Tkinter?" thread, and combined with this thread, I'm unlikely to spend my free time on his particular issue here. Eric ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Time for 3.4.9 and 3.5.6
On 7/8/2018 1:05 PM, Ivan Pozdeev via Python-Dev wrote: I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes). If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense Another wild exaggeration that inhibits me, and I suspect others, from attending to your legitimate issue. -- if something can't be built, it can't be used. but 3.4 source security releases can be built and used on *nix. What is true is that we do not currently support building new releases on XP. We never did for 3.5, and can no longer test for 3.4. Partly as a consequence, we are not currently supporting (updating scripts for) building 3.4 on Windows. But Windows is not all systems. On 08.07.2018 10:45, Larry Hastings wrote: My six-month cadence means it's time for the next releases of 3.4 and 3.5. There haven't been many changes since the last releases--two, to be exact. These two security fixes were backported to both 3.4 and 3.5: * bpo-32981: Fix catastrophic backtracking vulns (GH-5955) * bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) 3.5 also got some doc-only changes related to the online "version switcher" dropdown. (They weren't backported to 3.4 because we don't list 3.4 in the version switcher dropdown anymore.) There are currently no PRs open for either 3.4 or 3.5, I verified that https://bugs.python.org/issue31623 is open and marked for 3.4 and has been so since last September. Unless you think there is plausible chance that it might be applied before the end, I think you should reject and close it now. That said, searching for open 3.4 issues returns 1617 items, almost none of which are even possibly applicable. You cannot even begin to wade thru and fix the headers. Adding type 'security' gives 8 hits, none of which are the 2 above. 4 have patches attached, which need to be turned into PRs to proceed. You might look at these 4. and they also have no open "release blocker" or "deferred blocker" bugs. It seems things are pretty quiet in our two security-fixes-only branches--a good way to be! I therefore propose to cut the RCs in a week and a half, and the finals two weeks later. So: Wednesday July 18 2018 - 3.4.9rc1 and 3.5.6rc1 Wednesday August 1 2018 - 3.4.9 final and 3.5.6 final I presume that this will be the last before the wrap-up next March. -- Terry Jan Reedy ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Time for 3.4.9 and 3.5.6
On 09.07.2018 1:32, Larry Hastings wrote: On 07/08/2018 10:05 AM, Ivan Pozdeev via Python-Dev wrote: I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes). If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense -- if something can't be built, it can't be used. By "3.4 build is broken", you mean that building the installer is broken on Windows. Sadly the maintainer of that installer is no longer part of the Python community, and as a Linux-only dev I have no way of testing any proposed change. Not only that, building the binaries is also broken as per https://bugs.python.org/issue31645 (that's one of the aforementioned "supplemental fixes"). More importantly, 3.4 is in security-fixes-only mode, which means that changes that aren't security fixes won't be accepted. Fixing this would not be a security fix. So even if the patch was clean and well-reviewed and worked perfectly I'm simply not going to merge it into 3.4. The 3.4 tree is only going to be in security-fixes mode for another eight months anyway, after which I will retire as 3.4 release manager, and 3.4 will no longer be supported by the Python core development community at all. I kinda don't see a point of claiming any kind of support and doing any work if the codebase is unusable. All that achieves is confused users and wasted time for everyone involved. If you "a Linux-only dev" and no-one is going to look at the Windows part, why not just say clearly that this version line is not supported outside Linux? I'm okay with that (what is and isn't supported is none of my business). At least, there won't be a nasty surprise when I rely on the team's claim that the code is workable, and it actually isn't -- and another one when I go for the trouble to provide a fix, and is told that I'm a troublemaker and has just massively wasted my and everybody else's time as a thanks. Besides, that'll be a reason to officially close all still-open tickets for 3.4/3.5 (there are about 2000 that are mentioning them) regardless of the topic (I've checked that none are currently marked as security issues). As pointed out in that bpo issue: if the problem is entirely due to switching from "git" to "hg", then you should have very little difficulty working around that. You can use a git-to-hg bridge, or create a local-only hg repo from the 3.4 tree. That should permit you to build your own installers. I'm a little sad that the 3.4 Windows installers no longer build directly out-of-tree without such a workaround, but sometimes that's just what happens with a Python release three major releases out of date languishing in security-fixes-only mode. //arry/ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/vano%40mail.mipt.ru ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Time for 3.4.9 and 3.5.6
On 07/08/2018 10:05 AM, Ivan Pozdeev via Python-Dev wrote: I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes). If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense -- if something can't be built, it can't be used. By "3.4 build is broken", you mean that building the installer is broken on Windows. Sadly the maintainer of that installer is no longer part of the Python community, and as a Linux-only dev I have no way of testing any proposed change. More importantly, 3.4 is in security-fixes-only mode, which means that changes that aren't security fixes won't be accepted. Fixing this would not be a security fix. So even if the patch was clean and well-reviewed and worked perfectly I'm simply not going to merge it into 3.4. The 3.4 tree is only going to be in security-fixes mode for another eight months anyway, after which I will retire as 3.4 release manager, and 3.4 will no longer be supported by the Python core development community at all. As pointed out in that bpo issue: if the problem is entirely due to switching from "git" to "hg", then you should have very little difficulty working around that. You can use a git-to-hg bridge, or create a local-only hg repo from the 3.4 tree. That should permit you to build your own installers. I'm a little sad that the 3.4 Windows installers no longer build directly out-of-tree without such a workaround, but sometimes that's just what happens with a Python release three major releases out of date languishing in security-fixes-only mode. //arry/ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Time for 3.4.9 and 3.5.6
I'll use this opportunity to remind you that 3.4 build is broken -- it can't be built from start to installer with the instructions given because of outside factors (CPython has migrated from Hg to Git). https://bugs.python.org/issue31623 about this was ignored (see https://bugs.python.org/issue31623#msg303708 for supplemental fixes). If this isn't something considered needing a fix, the claim that 3.4 is supported in any shape and form is but a pretense -- if something can't be built, it can't be used. On 08.07.2018 10:45, Larry Hastings wrote: My six-month cadence means it's time for the next releases of 3.4 and 3.5. There haven't been many changes since the last releases--two, to be exact. These two security fixes were backported to both 3.4 and 3.5: * bpo-32981: Fix catastrophic backtracking vulns (GH-5955) * bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) 3.5 also got some doc-only changes related to the online "version switcher" dropdown. (They weren't backported to 3.4 because we don't list 3.4 in the version switcher dropdown anymore.) There are currently no PRs open for either 3.4 or 3.5, and they also have no open "release blocker" or "deferred blocker" bugs. It seems things are pretty quiet in our two security-fixes-only branches--a good way to be! I therefore propose to cut the RCs in a week and a half, and the finals two weeks later. So: Wednesday July 18 2018 - 3.4.9rc1 and 3.5.6rc1 Wednesday August 1 2018 - 3.4.9 final and 3.5.6 final If anybody needs more time I'm totally happy to accommodate them--you can probably have all the time you need. I'm trying to keep to my rough six-month cadence, but honestly that's pretty arbitrary. Thanks to all of you who keep making 3.4 and 3.5 better, //arry/ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/vano%40mail.mipt.ru ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] Time for 3.4.9 and 3.5.6
My six-month cadence means it's time for the next releases of 3.4 and 3.5. There haven't been many changes since the last releases--two, to be exact. These two security fixes were backported to both 3.4 and 3.5: * bpo-32981: Fix catastrophic backtracking vulns (GH-5955) * bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) 3.5 also got some doc-only changes related to the online "version switcher" dropdown. (They weren't backported to 3.4 because we don't list 3.4 in the version switcher dropdown anymore.) There are currently no PRs open for either 3.4 or 3.5, and they also have no open "release blocker" or "deferred blocker" bugs. It seems things are pretty quiet in our two security-fixes-only branches--a good way to be! I therefore propose to cut the RCs in a week and a half, and the finals two weeks later. So: Wednesday July 18 2018 - 3.4.9rc1 and 3.5.6rc1 Wednesday August 1 2018 - 3.4.9 final and 3.5.6 final If anybody needs more time I'm totally happy to accommodate them--you can probably have all the time you need. I'm trying to keep to my rough six-month cadence, but honestly that's pretty arbitrary. Thanks to all of you who keep making 3.4 and 3.5 better, //arry/ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
