Re: [python-committers] Winding down 3.4
If they're really all wontfix, maybe we should mark them as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature. Godspeed, and may a flight of angels sing thee to thy rest, //arry/ On 08/20/2018 05:52 AM, Victor Stinner wrote: > "shutil copy* unsafe on POSIX - they preserve setuid/setgit bits" > https://bugs.python.org/issue17180 There is no fix. A fix may break the backward compatibility. Is it really worth it for the last 3.4 release? > "XML vulnerabilities in Python" > https://bugs.python.org/issue17239 Bug inactive since 2015. I don't expect that anyone will step in next weeks with a wonderful solution to all XML issues. I suggest to ignore this one as well, this issue is as old as XML support in Python and I am not aware of any victim of these issues. Obviously, it would be "nice" to see a fix for these issues but it seems like core devs are more interested to work on other topics and other security issues. > "fflush called on pointer to potentially closed file" (Windows only) > https://bugs.python.org/issue19050 It seems like two core devs are opposed to fix this issue. -- There are open security issues on the HTTP server and urllib. I am more concerned by these issues, but it's hard to fix them, there is a risk of introducing regressions. Victor ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
Re: [python-committers] Winding down 3.4
> "shutil copy* unsafe on POSIX - they preserve setuid/setgit bits" > https://bugs.python.org/issue17180 There is no fix. A fix may break the backward compatibility. Is it really worth it for the last 3.4 release? > "XML vulnerabilities in Python" > https://bugs.python.org/issue17239 Bug inactive since 2015. I don't expect that anyone will step in next weeks with a wonderful solution to all XML issues. I suggest to ignore this one as well, this issue is as old as XML support in Python and I am not aware of any victim of these issues. Obviously, it would be "nice" to see a fix for these issues but it seems like core devs are more interested to work on other topics and other security issues. > "fflush called on pointer to potentially closed file" (Windows only) > https://bugs.python.org/issue19050 It seems like two core devs are opposed to fix this issue. -- There are open security issues on the HTTP server and urllib. I am more concerned by these issues, but it's hard to fix them, there is a risk of introducing regressions. Victor ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
Re: [python-committers] Winding down 3.4
“So that 3.4 dies in good health?” More like getting all its evil deeds off its chest on the death bed, I think :) Top-posted from my Windows 10 phone From: Antoine Pitrou Sent: Monday, 13 August 2018 2:59 To: Larry Hastings; python-committers; Python-Dev Subject: Re: [python-committers] Winding down 3.4 Le 13/08/2018 à 11:49, Larry Hastings a écrit : > > > We of the core dev community commit to supporting Python releases for > five years. Releases get eighteen months of active bug fixes, followed > by three and a half years of security fixes. Python 3.4 turns 5 next > March--at which point we'll stop supporting it, and I'll retire as 3.4 > release manager. > > My plan is to make one final release on or around its fifth birthday > containing the last round of security fixes. That's about seven months > from now. Nothing has been merged since the releases of 3.4.9 and 3.5.6 > last week, and there are no open PRs against either of those releases. > > But! There are still a couple languishing "critical" bugs: > > "shutil copy* unsafe on POSIX - they preserve setuid/setgit bits" > https://bugs.python.org/issue17180 > > "XML vulnerabilities in Python" > https://bugs.python.org/issue17239 > > "fflush called on pointer to potentially closed file" (Windows only) > https://bugs.python.org/issue19050 > > It'd be nice to resolve all those issues, one way or another, before we > retire 3.4. So that 3.4 dies in good health? Regards Antoine. ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/ ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/
Re: [python-committers] Winding down 3.4
Le 13/08/2018 à 11:49, Larry Hastings a écrit : > > > We of the core dev community commit to supporting Python releases for > five years. Releases get eighteen months of active bug fixes, followed > by three and a half years of security fixes. Python 3.4 turns 5 next > March--at which point we'll stop supporting it, and I'll retire as 3.4 > release manager. > > My plan is to make one final release on or around its fifth birthday > containing the last round of security fixes. That's about seven months > from now. Nothing has been merged since the releases of 3.4.9 and 3.5.6 > last week, and there are no open PRs against either of those releases. > > But! There are still a couple languishing "critical" bugs: > > "shutil copy* unsafe on POSIX - they preserve setuid/setgit bits" > https://bugs.python.org/issue17180 > > "XML vulnerabilities in Python" > https://bugs.python.org/issue17239 > > "fflush called on pointer to potentially closed file" (Windows only) > https://bugs.python.org/issue19050 > > It'd be nice to resolve all those issues, one way or another, before we > retire 3.4. So that 3.4 dies in good health? Regards Antoine. ___ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers Code of Conduct: https://www.python.org/psf/codeofconduct/