On 31/10/2019 00:17, Larry Hastings wrote:
> Due to awkward CDN caching, some users who downloaded the source code
> tarballs of Python 3.5.8 got a preliminary version instead of the
> final version. As best as we can tell, this only affects the .xz
> release; there are no known instances of users downloading an
> incorrect version of the .tgz file.
> If you downloaded "Python-3.5.8.tar.xz" during the first twelve hours
> of its release, you might be affected. It's easy to determine this
> for yourself. The file size (15,382,140 bytes) and MD5 checksum
> (4464517ed6044bca4fc78ea9ed086c36) published on the release page have
> always matched the correct version. Also, the GPG signature file will
> only report a "Good signature" for the correct .xz file (using "gpg
> What's the difference between the two? The only difference is that
> the final version also merges a fix for Python issue tracker #38243:
> The fix adds a call to "html.escape" at a judicious spot, line 896 in
> Lib/xmlrpc/server.py. The only other changes are one new test, to
> ensure this new code is working, and an entry in the NEWS file. You
> can see the complete list of changes here:
> What should you do? It's up to you.
> * If you and your users aren't using the XMLRPC library built in to
> Python, you don't need to worry about which version of 3.5.8 you
> * If you downloaded the .tgz tarball or the Git repo, you already
> have the correct version.
> * If you downloaded the xz file and want to make sure you have the
> fix, check the MD5 sum, and if it's wrong download a fresh copy
> (and make sure that one matches the known good MD5 sum!).
> To smooth over this whole sordid mess, I plan to make a 3.5.9 release
> in the next day or so. It'll be identical to the 3.5.8 release; its
> only purpose is to ensure that all users have the same updated source
> code, including the fix for #38243.
> Sorry for the mess, everybody,
a) "Congratulations" on the 3.5.8 release
b) excellent solution - to up the release number!
> Python-Dev mailing list -- python-...@python.org
> To unsubscribe send an email to python-dev-le...@python.org
> Message archived at
> Code of Conduct: http://python.org/psf/codeofconduct/
Description: OpenPGP digital signature
Python-announce-list mailing list -- firstname.lastname@example.org
To unsubscribe send an email to python-announce-list-le...@python.org
Support the Python Software Foundation: