[Python-Dev] Re: Switching to Discourse

2022-12-06 Thread Baptiste Carvello 
Hi,

Le 05/12/2022 à 14:50, Stephen J. Turnbull a écrit :
>
>  I'd be sad, but I get the feeling that the only people left
> reading it are "here for the community", not to develop code, …
I think this is indeed true, but that's nothing to be sad about: "being
here for the community" is not wrong or shameful.

Since forever, python-dev has attracted a large following of enthusiast
Python users, who want to understand the design choices of their
preferred language. This widely shared concern for writing idiomatic
code is a distinguishing trait of the Python community (the whole
culture of "pythonic" code).

Now maybe this is a place where the mailman devs could help and make a
real difference: what if this list would become, not archive-only, but a
*read-only mirror* of those parts of Discourse that are relevant for
core development? That would mean setting up a pipeline starting with
Discourse's so-called "mailing-list mode", going through the kind of
filter stack that some core developers have been setting up for their
personal use, and feeding into this mailing list. The last part can only
be done with the powers of the mailman admins.

Being read-only would not be a problem in practice: non core-devs here
read much more than they post (as they should). Being forced to log into
a specific website is an acceptable roadblock once in a while for
posting, just not every day for simply following the discussions.

Turning this list into a relevant mirror of Discourse is the nicest
course of action for the hundreds of silent readers python-dev has
gathered over the years. All those people *won't* switch to routinely
visiting the Discourse website, no matter how much pushing and wishful
thinking the Steering Council puts into it. Shutting down the list means
kicking them away, more or less overtly.

Cheers,
Baptiste
___
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at 
https://mail.python.org/archives/list/python-dev@python.org/message/TXLKFNL3RUFNIU5DELXIJQF3UZOX6DIH/
Code of Conduct: http://python.org/psf/codeofconduct/

[Python-Dev] [RELEASE] Python 3.11.1, 3.10.9, 3.9.16, 3.8.16, 3.7.16, and 3.12.0 alpha 3 are now available

2022-12-06 Thread Łukasz Langa 
Greetings! We bring you a slew of releases this fine Saint Nicholas / 
Sinterklaas day. Six simultaneous releases has got to be some record. There’s 
one more record we broke this time, you’ll see below.

In any case, updating is recommended due to security content:

3.7 - 3.12: gh-98739 : Updated 
bundled libexpat to 2.5.0 to fix CVE-2022-43680 
 (heap use-after-free).
3.7 - 3.12: gh-98433 : The IDNA 
codec decoder used on DNS hostnames by socket or asyncio related name 
resolution functions no longer involves a quadratic algorithm to fix 
CVE-2022-45061 . This prevents 
a potential CPU denial of service if an out-of-spec excessive length hostname 
involving bidirectional characters were decoded. Some protocols such as urllib 
http 3xx redirects potentially allow for an attacker to supply such a name.
3.7 - 3.12: gh-11 : python 
-m http.server no longer allows terminal control characters sent within a 
garbage request to be printed to the stderr server log.
3.8 - 3.12: gh-87604 : Avoid 
publishing list of active per-interpreter audit hooks via the gc module.
3.9 - 3.10 (already released in 3.11+ before): gh-97514 
: On Linux the multiprocessing 
module returns to using filesystem backed unix domain sockets for communication 
with the forkserver process instead of the Linux abstract socket namespace. 
Only code that chooses to use the “forkserver” start method is affected. This 
prevents Linux CVE-2022-42919  
(potential privilege escalation) as abstract sockets have no permissions and 
could allow any user on the system in the same network namespace (often the 
whole system) to inject code into the multiprocessing forkserver process. This 
was a potential privilege escalation. Filesystem based socket permissions 
restrict this to the forkserver process user as was the default in Python 3.8 
and earlier.
3.7 - 3.10: gh-98517 : Port 
XKCP’s fix for the buffer overflows in SHA-3 to fix CVE-2022-37454 
.
3.7 - 3.9 (already released in 3.10+ before): gh-68966 
: The deprecated mailcap module 
now refuses to inject unsafe text (filenames, MIME types, parameters) into 
shell commands to address CVE-2015-20107 
. Instead of using such text, 
it will warn and act as if a match was not found (or for test commands, as if 
the test failed).
 
Python
 3.12.0 alpha 3

Get it here, read the change log, sing a GPT-3-generated Sinterklaas song:

https://www.python.org/downloads/release/python-3120a3/ 


216 new commits since 3.12.0 alpha 2 last month.

 
Python
 3.11.1

Get it here, see the change log, read the recipe for quark soup:

https://www.python.org/downloads/release/python-3111/ 


A whopping 495 new commits since 3.11.0. This is a massive increase of changes 
comparing to 3.10 at the same stage in the release cycle: there were “only” 339 
commits between 3.10.0 and 3.10.1.

 
Python
 3.10.9

Get it here, read the change log, see circular patterns:

https://www.python.org/downloads/release/python-3109/ 


165 new commits.

 
Python
 3.9.16

Get it here, read the change log, consider upgrading to a newer version:

https://www.python.org/downloads/release/python-3916/ 


Security-only release with no binaries. 10 commits.

 
Python
 3.8.16

Get it here, see the change log, definitely upgrade to a newer version:

https://www.python.org/downloads/release/python-3816/ 


Security-only release with no binaries. 9 commits.