Tuesday, June 1, 2021

Python 3.10.0b2 is available

After fighting with some release blockers, implementing a bunch of GC traversal functions, and fixing some pending reference leaks, we finally have Python 3.10.0 beta 2 ready for you! Thanks to everyone that helped to unblock the release!

https://www.python.org/downloads/release/python-3100b2/

This is a beta preview of Python 3.10

Python 3.10 is still in development. 3.10.0b2 is the second of four planned beta release previews. Beta release previews are intended to give the wider community the opportunity to test new features and bug fixes and to prepare their projects to support the new feature release.

We **strongly encourage** maintainers of third-party Python projects to **test with 3.10** during the beta phase and report issues found to [the Python bug tracker](https://bugs.python.org/) as soon as possible. While the release is planned to be feature complete entering the beta phase, it is possible that features may be modified or, in rare cases, deleted up until the start of the release candidate phase (Monday, 2021-08-02). Our goal is to have no ABI changes after beta 4 and as few code changes as possible after 3.10.0rc1, the first release candidate. To achieve that, it will be **extremely important** to get as much exposure for 3.10 as possible during the beta phase.

Please keep in mind that this is a preview release and its use is **not** recommended for production environments.

Major new features of the 3.10 series, compared to 3.9

Many new features for Python 3.10 are still being planned and written. Among the new major new features and changes so far:

  • PEP 623 – Deprecate and prepare for the removal of the wstr member in PyUnicodeObject.
  • PEP 604 – Allow writing union types as X | Y
  • PEP 612 – Parameter Specification Variables
  • PEP 626 – Precise line numbers for debugging and other tools.
  • PEP 618 – Add Optional Length-Checking To zip.
  • bpo-12782: Parenthesized context managers are now officially allowed.
  • PEP 632 – Deprecate distutils module.
  • PEP 613 – Explicit Type Aliases
  • PEP 634 – Structural Pattern Matching: Specification
  • PEP 635 – Structural Pattern Matching: Motivation and Rationale
  • PEP 636 – Structural Pattern Matching: Tutorial
  • PEP 644 – Require OpenSSL 1.1.1 or newer
  • PEP 624 – Remove Py_UNICODE encoder APIs
  • PEP 597 – Add optional EncodingWarning
  • (Hey, fellow core developer, if a feature you find important is missing from this list, let Pablo know.)

The next pre-release of Python 3.10 will be 3.10.0b3, currently scheduled for Thursday, 2021-06-17.

bpo-38605from __future__ import annotations (PEP 563) used to be on this list in previous pre-releases but it has been postponed to Python 3.11 due to some compatibility concerns. You can read the Steering Council communication about it here to learn more.

More resources

And now for something completely different

The Ehrenfest paradox concerns the rotation of a "rigid" disc in the theory of relativity. In its original 1909 formulation as presented by Paul Ehrenfest in relation to the concept of Born rigidity within special relativity, it discusses an ideally rigid cylinder that is made to rotate about its axis of symmetry. The radius R as seen in the laboratory frame is always perpendicular to its motion and should therefore be equal to its value R0 when stationary. However, the circumference (2πR) should appear Lorentz-contracted to a smaller value than at rest. This leads to the apparent contradiction that R = R0 and R < R0.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,

Pablo Galindo @pablogsal

Ned Deily @nad

Steve Dower @steve.dower

Monday, May 3, 2021

Python 3.8.10, 3.9.5, and 3.10.0b1 are now available

This has been a very busy day for releases and on behalf of the Python development community we’re happy to announce the availability of three new Python releases.

Python 3.10 is now in Beta

Get it here: https://www.python.org/downloads/release/python-3100b1/

Python 3.10 is still in development. 3.10.0b1 is the first of four planned beta release previews. Beta release previews are intended to give the wider community the opportunity to test new features and bug fixes and to prepare their projects to support the new feature release.

We strongly encourage maintainers of third-party Python projects to test with 3.10 during the beta phase and report issues found to the Python bug tracker as soon as possible. While the release is planned to be feature complete entering the beta phase, it is possible that features may be modified or, in rare cases, deleted up until the start of the release candidate phase (Monday, 2021-08-02). Our goal is have no ABI changes after beta 4 and as few code changes as possible after 3.10.0rc1, the first release candidate. To achieve that, it will be extremely important to get as much exposure for 3.10 as possible during the beta phase.

Please keep in mind that this is a preview release and its use is not recommended for production environments.

The next pre-release, the second beta release of Python 3.10, will be 3.10.0b2. It is currently scheduled for 2021-05-25. Please see PEP 619 for details.

Development Begins on Python 3.11

With Python 3.10 moving to beta, it received its own 3.10 branch in the repository. All new features are now targeting Python 3.11, to be released in October 2022.

Using the opportunity with the creation of the 3.10 branch, we renamed the master branch of the repository to main. It’s been a bit rocky but looks like we’re open for business. Please rename the main branch of your personal fork using the guide GitHub will give you when you go to your fork’s main page. In case of any outstanding issues, please contact the 3.11 RM.

Python 3.9.5

Get it here: https://www.python.org/downloads/release/python-395/

Python 3.9.5 is the newest major stable release of the Python programming language, and it contains many new features and optimizations. There’s been 111 commits since 3.9.4 which is a similar amount compared to 3.8 at the same stage of the release cycle. See the change log for details.

On macOS, we encourage you to use the universal2 binary installer variant whenever possible. The legacy 10.9+ Intel-only variant will not be provided for Python 3.10 and the universal2 variant will become the default download for future 3.9.x releases. You may need to upgrade third-party components, like pip, to later versions once they are released. You may experience differences in behavior in IDLE and other Tk-based applications due to using the newer version of Tk. As always, if you encounter problems when using this installer variant, please check https://bugs.python.org for existing reports and for opening new issues.

The next Python 3.9 maintenance release will be 3.9.6, currently scheduled for 2021-06-28.

The Last Regular Bugfix Release of Python 3.8

Get it here: https://www.python.org/downloads/release/python-3810/

According to the release calendar specified in PEP 569, Python 3.8.10 is the final regular maintenance release. Starting now, the 3.8 branch will only accept security fixes and releases of those will be made in source-only form until October 2024. To keep receiving regular bug fixes, please upgrade to Python 3.9.

Compared to the 3.7 series, this last regular bugfix release is relatively dormant at 92 commits since 3.8.9. Version 3.7.8, the final regular bugfix release of Python 3.7, included 187 commits. But there’s a bunch of important updates here regardless, the biggest being macOS Big Sur and Apple Silicon build support. This work would not have been possible without the effort of Ronald Oussoren, Ned Deily, Maxime Bélanger, and Lawrence D’Anna from Apple. Thank you!

Take a look at the change log for details.

We hope you enjoy the new releases

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Pablo Galindo Salgado @pablogsal
Łukasz Langa @ambv

Tuesday, April 6, 2021

Python 3.10.0a7 is now available for testing

Brrrrr… do you feel that? That’s the chill of beta freeze coming closer. Meanwhile, your friendly CPython release team doesn’t rest even on holidays and we have prepared a shiny new release for you: Python 3.10.0a7.

Get the new release here:

https://www.python.org/downloads/release/python-3100a7/

Python 3.10.0a7

Release Date: April 5, 2021

This is an early developer preview of Python 3.10

Major new features of the 3.10 series, compared to 3.9

Python 3.10 is still in development. This release, 3.10.0a7 is the last of seven planned alpha releases. Alpha releases are intended to make it easier to test the current state of new features and bug fixes and to test the release process. During the alpha phase, features may be added up until the start of the beta phase (2021-05-03) and, if necessary, may be modified or deleted up until the release candidate phase (2021-10-04). Please keep in mind that this is a preview release and its use is not recommended for production environments.

Many new features for Python 3.10 are still being planned and written. Among the new major new features and changes so far:

  • PEP 623 – Deprecate and prepare for the removal of the wstr member in PyUnicodeObject.
  • PEP 604 – Allow writing union types as X | Y
  • PEP 612 – Parameter Specification Variables
  • PEP 626 – Precise line numbers for debugging and other tools.
  • bpo-38605from __future__ import annotations (PEP 563) is now the default.
  • PEP 618 – Add Optional Length-Checking To zip.
  • bpo-12782: Parenthesized context managers are now officially allowed.
  • PEP 632 – Deprecate distutils module.
  • PEP 613 – Explicit Type Aliases
  • PEP 634 – Structural Pattern Matching: Specification
  • PEP 635 – Structural Pattern Matching: Motivation and Rationale
  • PEP 636 – Structural Pattern Matching: Tutorial
  • PEP 644 – Require OpenSSL 1.1.1 or newer
  • PEP 624 – Remove Py_UNICODE encoder APIs
  • PEP 597 – Add optional EncodingWarning
  • (Hey, fellow core developer, if a feature you find important is missing from this list, let Pablo know.)

The next pre-release of Python 3.10 will be 3.10.0b1 ( the first beta release and feature freeze ), currently scheduled for Monday, 2021-05-03.

More resources

And now for something completely different

In physics, the twin paradox is a thought experiment in special relativity involving identical twins, one of whom makes a journey into space in a high-speed rocket and returns home to find that the twin who remained on Earth has aged more. This result appears puzzling because each twin sees the other twin as moving, and so, as a consequence of an incorrect and naive application of time dilation and the principle of relativity, each should paradoxically find the other to have aged less. However, this scenario can be resolved by realising that the travelling twin is undergoing acceleration, which makes him a non-inertial observer. In both views, there is no symmetry between the spacetime paths of the twins. Therefore, the twin paradox is not a paradox in the sense of a logical contradiction.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Pablo Galindo Salgado @pablogsal
Ned Deily @nad
Steve Dower @steve.dower

Sunday, April 4, 2021

Python 3.9.4 hotfix is now available

Python 3.9.3 was released two days ago on Friday, April 2nd. It contains important security content listed below for reference. Unfortunately, it also introduced an unintentional ABI incompatibility, making some C extensions built with Python 3.9.0 - 3.9.2 crash with Python 3.9.3 on 32-bit systems. To minimize disruption, I decided to recall 3.9.3 and introduce this hotfix release: 3.9.4.

We highly recommend upgrading your Python 3.9 installations to 3.9.4 at your earliest convenience.

Get it here:

https://www.python.org/downloads/release/python-394/

What is “ABI compatibility”?

Python guarantees that within a given language series (like the current 3.9) binary extensions written in C or C++ and compiled against headers of one release (like 3.9.0) will be importable from other versions in the same series (like 3.9.3). If this weren’t the case, library authors would have to ship separate binary wheels on PyPI for every single bugfix release of Python. That would be very inconvenient.

What broke in Python 3.9.3?

In a fix for a corner-case crash around recursion limits and exceptions, the PyThreadState struct needed to change. While PyThreadState’s only documented public member is the *interp field, it’s not uncommon for C extensions to access other fields in this struct as well.

When I approved the backport of this fix, I missed the fact that the variable size change would change the memory layout of said struct on 32-bit systems (on 64-bit systems alignment rules made the size change backwards compatible). Merging the backport was a mistake, and so 3.9.4 reverts it to restore compatibility with binary extensions built against Python 3.9.0 - 3.9.2. Details in bpo-43710.

Security Content in Python 3.9.3

  • bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it’s been upgraded to 1.1.1k in CI, and macOS and Windows installers.
  • bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
  • bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
  • bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

Release Calendar

Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.5 planned for May 3rd 2021 as well.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 ” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.3 specifically.

Detailed information about all changes made in version 3.8.9 can be found in its respective changelog.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Łukasz Langa @ambv
Ned Deily @nad
Steve Dower @steve.dower
 

Friday, April 2, 2021

Python 3.9.3 and 3.8.9 are now available

Those are expedited security releases, recommended to all users. Get them here:

https://www.python.org/downloads/release/python-389/

Note: 3.9.3 has been recalled due to introducing unintentional ABI incompatibility. Download 3.9.4 instead: https://www.python.org/downloads/release/python-394/.

Security Content

  • bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it’s been upgraded to 1.1.1k in CI, and macOS and Windows installers.
  • bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
  • bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
  • bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

Release Calendar

Due to the security fixes, those releases are made a month sooner than planned. I decided to keep the release calendar intact, meaning that the last full regular maintenance release of Python 3.8 is still planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for May 3rd 2021 as well.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 ” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.3 specifically.

Detailed information about all changes made in version 3.8.9 can be found in its respective changelog.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv

Monday, March 1, 2021

Python 3.10.0a6 is now available for testing

Remember us? It’s your friendly CPython release team and we have something we think you may like: The new alpha release of Python 3.10 is here, now with 100% more pattern matching. If I were you, I would download it and start playing with it. Extra points if you report us any bugs you find along the way! Are you confused about all this pattern matching business? Fear not, this release also includes some fantastic documentation and some shiny new “What’s new” entries.

Check them here and tell us how we can improve it:

https://docs.python.org/3.10/whatsnew/3.10.html

https://docs.python.org/3.10/tutorial/controlflow.html#match-statements


Go get the new alpha here:

https://www.python.org/downloads/release/python-3100a6/


This is an early developer preview of Python 3.10

Major new features of the 3.10 series, compared to 3.9

Python 3.10 is still in development. This release, 3.10.0a6 is the sixth of seven planned alpha releases.
Alpha releases are intended to make it easier to test the current state of new features and bug fixes and to test the release process.
During the alpha phase, features may be added up until the start of the beta phase (2021-05-03) and, if necessary, may be modified or deleted up until the release candidate phase (2021-10-04). Please keep in mind that this is a preview release and its use is not recommended for production environments.

Many new features for Python 3.10 are still being planned and written. Among the new major
new features and changes so far:

  • PEP 623 – Remove wstr from Unicode

  • PEP 604 – Allow writing union types as X | Y

  • PEP 612 – Parameter Specification Variables

  • PEP 626 – Precise line numbers for debugging and other tools.

  • bpo-38605from __future__ import annotations (PEP 563) is now the default.

  • PEP 618 – Add Optional Length-Checking To zip.

  • bpo-12782: Parenthesized context managers are now officially allowed.

  • PEP 632 – Deprecate distutils module.

  • PEP 613 – Explicit Type Aliases

  • PEP 634 – Structural Pattern Matching: Specification

  • PEP 635 – Structural Pattern Matching: Motivation and Rationale

  • PEP 636 – Structural Pattern Matching: Tutorial

  • (Hey, fellow core developer, if a feature you find important is missing from this list, let Pablo know.)

The next pre-release of Python 3.10 will be 3.10.0a7 ( last alpha release), currently scheduled for Monday, 2021-04-05.

More resources

And now for something completely different

Schwarzschild wormholes, also known as Einstein–Rosen bridges (named after Albert Einstein and Nathan Rosen), are connections between areas of space that can be modelled as vacuum solutions to the Einstein field equations, and that are now understood to be intrinsic parts of the maximally extended version of the Schwarzschild metric describing an eternal black hole with no charge and no rotation. Here, “maximally extended” refers to the idea that the spacetime should not have any “edges”: it should be possible to continue this path arbitrarily far into the particle’s future or past for any possible trajectory of a free-falling particle (following a geodesic in the spacetime).

Although Schwarzschild wormholes are not traversable in both directions, their existence inspired Kip Thorne to imagine traversable wormholes created by holding the “throat” of a Schwarzschild wormhole open with exotic matter (material that has negative mass/energy).

Friday, February 19, 2021

Python 3.9.2 and 3.8.8 are now available

Convinced of the wonders of free two-day deliveries, I’m pleased to present you Python 3.9.2 and 3.8.8. Get them from:



Next up, the last full regular maintenance release of Python 3.8 is planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for early May 2021.

Why the expedited final release?

This release, just as the candidate before it, contains two security fixes:

  • bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. This issue was assigned CVE-2021-3177.

  • bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. This issue was assigned CVE-2021-23336.

Since the announcement of the release candidates for 3.9.2 on 3.8.8, we received a number of inquiries from end users urging us to expedite the final releases due to the security content, especially CVE-2021-3177.

This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime. It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place.

In turn, the other active release managers and I decided to stop providing release candidates for bugfix versions. Starting from now on after the initial 3.x.0 final release, all subsequent releases are going to be provided as is in bi-monthly intervals. The release calendar PEPs for 3.8 and 3.9 have been updated accordingly.

On the severity of CVE-2021-3177

We recommend you upgrade your systems to Python 3.8.8 or 3.9.2.

Our understanding is that while the CVE is listed as “remote code execution”, practical exploits of this vulnerability as such are very unlikely due the following conditions needing to be met for successful RCE:

  • pass an untrusted floating point number from a remote party to ctypes.c_double.from_param (note: Python floating point numbers were not affected);

  • have that object be passed to repr() (for instance through logging);

  • have that float point number be valid machine code;

  • have the buffer overflow overwrite the stack at exactly the right place for the code to get executed.

In fact, Red Hat’s evaluation of the vulnerability was consistent with ours. They write: “the highest threat from this vulnerability is to system availability.”

To be sure, denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 2” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.2rc1 specifically. The final release only contains a single bugfix over the release candidate.

Detailed information about all changes made in version 3.8.8rc1 specifically can be found in its respective changelog. The final version contains no changes over the release candidate.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv