Tuesday, April 6, 2021

Python 3.10.0a7 is now available for testing

Brrrrr… do you feel that? That’s the chill of beta freeze coming closer. Meanwhile, your friendly CPython release team doesn’t rest even on holidays and we have prepared a shiny new release for you: Python 3.10.0a7.

Get the new release here:

https://www.python.org/downloads/release/python-3100a7/

Python 3.10.0a7

Release Date: April 5, 2021

This is an early developer preview of Python 3.10

Major new features of the 3.10 series, compared to 3.9

Python 3.10 is still in development. This release, 3.10.0a7 is the last of seven planned alpha releases. Alpha releases are intended to make it easier to test the current state of new features and bug fixes and to test the release process. During the alpha phase, features may be added up until the start of the beta phase (2021-05-03) and, if necessary, may be modified or deleted up until the release candidate phase (2021-10-04). Please keep in mind that this is a preview release and its use is not recommended for production environments.

Many new features for Python 3.10 are still being planned and written. Among the new major new features and changes so far:

  • PEP 623 – Deprecate and prepare for the removal of the wstr member in PyUnicodeObject.
  • PEP 604 – Allow writing union types as X | Y
  • PEP 612 – Parameter Specification Variables
  • PEP 626 – Precise line numbers for debugging and other tools.
  • bpo-38605from __future__ import annotations (PEP 563) is now the default.
  • PEP 618 – Add Optional Length-Checking To zip.
  • bpo-12782: Parenthesized context managers are now officially allowed.
  • PEP 632 – Deprecate distutils module.
  • PEP 613 – Explicit Type Aliases
  • PEP 634 – Structural Pattern Matching: Specification
  • PEP 635 – Structural Pattern Matching: Motivation and Rationale
  • PEP 636 – Structural Pattern Matching: Tutorial
  • PEP 644 – Require OpenSSL 1.1.1 or newer
  • PEP 624 – Remove Py_UNICODE encoder APIs
  • PEP 597 – Add optional EncodingWarning
  • (Hey, fellow core developer, if a feature you find important is missing from this list, let Pablo know.)

The next pre-release of Python 3.10 will be 3.10.0b1 ( the first beta release and feature freeze ), currently scheduled for Monday, 2021-05-03.

More resources

And now for something completely different

In physics, the twin paradox is a thought experiment in special relativity involving identical twins, one of whom makes a journey into space in a high-speed rocket and returns home to find that the twin who remained on Earth has aged more. This result appears puzzling because each twin sees the other twin as moving, and so, as a consequence of an incorrect and naive application of time dilation and the principle of relativity, each should paradoxically find the other to have aged less. However, this scenario can be resolved by realising that the travelling twin is undergoing acceleration, which makes him a non-inertial observer. In both views, there is no symmetry between the spacetime paths of the twins. Therefore, the twin paradox is not a paradox in the sense of a logical contradiction.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Pablo Galindo Salgado @pablogsal
Ned Deily @nad
Steve Dower @steve.dower

Sunday, April 4, 2021

Python 3.9.4 hotfix is now available

Python 3.9.3 was released two days ago on Friday, April 2nd. It contains important security content listed below for reference. Unfortunately, it also introduced an unintentional ABI incompatibility, making some C extensions built with Python 3.9.0 - 3.9.2 crash with Python 3.9.3 on 32-bit systems. To minimize disruption, I decided to recall 3.9.3 and introduce this hotfix release: 3.9.4.

We highly recommend upgrading your Python 3.9 installations to 3.9.4 at your earliest convenience.

Get it here:

https://www.python.org/downloads/release/python-394/

What is “ABI compatibility”?

Python guarantees that within a given language series (like the current 3.9) binary extensions written in C or C++ and compiled against headers of one release (like 3.9.0) will be importable from other versions in the same series (like 3.9.3). If this weren’t the case, library authors would have to ship separate binary wheels on PyPI for every single bugfix release of Python. That would be very inconvenient.

What broke in Python 3.9.3?

In a fix for a corner-case crash around recursion limits and exceptions, the PyThreadState struct needed to change. While PyThreadState’s only documented public member is the *interp field, it’s not uncommon for C extensions to access other fields in this struct as well.

When I approved the backport of this fix, I missed the fact that the variable size change would change the memory layout of said struct on 32-bit systems (on 64-bit systems alignment rules made the size change backwards compatible). Merging the backport was a mistake, and so 3.9.4 reverts it to restore compatibility with binary extensions built against Python 3.9.0 - 3.9.2. Details in bpo-43710.

Security Content in Python 3.9.3

  • bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it’s been upgraded to 1.1.1k in CI, and macOS and Windows installers.
  • bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
  • bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
  • bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

Release Calendar

Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.5 planned for May 3rd 2021 as well.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 ” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.3 specifically.

Detailed information about all changes made in version 3.8.9 can be found in its respective changelog.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Łukasz Langa @ambv
Ned Deily @nad
Steve Dower @steve.dower
 

Friday, April 2, 2021

Python 3.9.3 and 3.8.9 are now available

Those are expedited security releases, recommended to all users. Get them here:

https://www.python.org/downloads/release/python-389/

Note: 3.9.3 has been recalled due to introducing unintentional ABI incompatibility. Download 3.9.4 instead: https://www.python.org/downloads/release/python-394/.

Security Content

  • bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it’s been upgraded to 1.1.1k in CI, and macOS and Windows installers.
  • bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
  • bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
  • bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

Release Calendar

Due to the security fixes, those releases are made a month sooner than planned. I decided to keep the release calendar intact, meaning that the last full regular maintenance release of Python 3.8 is still planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for May 3rd 2021 as well.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 ” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.3 specifically.

Detailed information about all changes made in version 3.8.9 can be found in its respective changelog.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv

Monday, March 1, 2021

Python 3.10.0a6 is now available for testing

Remember us? It’s your friendly CPython release team and we have something we think you may like: The new alpha release of Python 3.10 is here, now with 100% more pattern matching. If I were you, I would download it and start playing with it. Extra points if you report us any bugs you find along the way! Are you confused about all this pattern matching business? Fear not, this release also includes some fantastic documentation and some shiny new “What’s new” entries.

Check them here and tell us how we can improve it:

https://docs.python.org/3.10/whatsnew/3.10.html

https://docs.python.org/3.10/tutorial/controlflow.html#match-statements


Go get the new alpha here:

https://www.python.org/downloads/release/python-3100a6/


This is an early developer preview of Python 3.10

Major new features of the 3.10 series, compared to 3.9

Python 3.10 is still in development. This release, 3.10.0a6 is the sixth of seven planned alpha releases.
Alpha releases are intended to make it easier to test the current state of new features and bug fixes and to test the release process.
During the alpha phase, features may be added up until the start of the beta phase (2021-05-03) and, if necessary, may be modified or deleted up until the release candidate phase (2021-10-04). Please keep in mind that this is a preview release and its use is not recommended for production environments.

Many new features for Python 3.10 are still being planned and written. Among the new major
new features and changes so far:

  • PEP 623 – Remove wstr from Unicode

  • PEP 604 – Allow writing union types as X | Y

  • PEP 612 – Parameter Specification Variables

  • PEP 626 – Precise line numbers for debugging and other tools.

  • bpo-38605from __future__ import annotations (PEP 563) is now the default.

  • PEP 618 – Add Optional Length-Checking To zip.

  • bpo-12782: Parenthesized context managers are now officially allowed.

  • PEP 632 – Deprecate distutils module.

  • PEP 613 – Explicit Type Aliases

  • PEP 634 – Structural Pattern Matching: Specification

  • PEP 635 – Structural Pattern Matching: Motivation and Rationale

  • PEP 636 – Structural Pattern Matching: Tutorial

  • (Hey, fellow core developer, if a feature you find important is missing from this list, let Pablo know.)

The next pre-release of Python 3.10 will be 3.10.0a7 ( last alpha release), currently scheduled for Monday, 2021-04-05.

More resources

And now for something completely different

Schwarzschild wormholes, also known as Einstein–Rosen bridges (named after Albert Einstein and Nathan Rosen), are connections between areas of space that can be modelled as vacuum solutions to the Einstein field equations, and that are now understood to be intrinsic parts of the maximally extended version of the Schwarzschild metric describing an eternal black hole with no charge and no rotation. Here, “maximally extended” refers to the idea that the spacetime should not have any “edges”: it should be possible to continue this path arbitrarily far into the particle’s future or past for any possible trajectory of a free-falling particle (following a geodesic in the spacetime).

Although Schwarzschild wormholes are not traversable in both directions, their existence inspired Kip Thorne to imagine traversable wormholes created by holding the “throat” of a Schwarzschild wormhole open with exotic matter (material that has negative mass/energy).

Friday, February 19, 2021

Python 3.9.2 and 3.8.8 are now available

Convinced of the wonders of free two-day deliveries, I’m pleased to present you Python 3.9.2 and 3.8.8. Get them from:



Next up, the last full regular maintenance release of Python 3.8 is planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for early May 2021.

Why the expedited final release?

This release, just as the candidate before it, contains two security fixes:

  • bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. This issue was assigned CVE-2021-3177.

  • bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. This issue was assigned CVE-2021-23336.

Since the announcement of the release candidates for 3.9.2 on 3.8.8, we received a number of inquiries from end users urging us to expedite the final releases due to the security content, especially CVE-2021-3177.

This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime. It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place.

In turn, the other active release managers and I decided to stop providing release candidates for bugfix versions. Starting from now on after the initial 3.x.0 final release, all subsequent releases are going to be provided as is in bi-monthly intervals. The release calendar PEPs for 3.8 and 3.9 have been updated accordingly.

On the severity of CVE-2021-3177

We recommend you upgrade your systems to Python 3.8.8 or 3.9.2.

Our understanding is that while the CVE is listed as “remote code execution”, practical exploits of this vulnerability as such are very unlikely due the following conditions needing to be met for successful RCE:

  • pass an untrusted floating point number from a remote party to ctypes.c_double.from_param (note: Python floating point numbers were not affected);

  • have that object be passed to repr() (for instance through logging);

  • have that float point number be valid machine code;

  • have the buffer overflow overwrite the stack at exactly the right place for the code to get executed.

In fact, Red Hat’s evaluation of the vulnerability was consistent with ours. They write: “the highest threat from this vulnerability is to system availability.”

To be sure, denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 2” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.2rc1 specifically. The final release only contains a single bugfix over the release candidate.

Detailed information about all changes made in version 3.8.8rc1 specifically can be found in its respective changelog. The final version contains no changes over the release candidate.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv

Wednesday, February 17, 2021

Python 3.9.2rc1 and 3.8.8rc1 are now available for testing

I’m happy to announce two release candidates today: Python 3.9.2rc1, and Python 3.8.8rc1. Get them from:



Unless critical issues are discovered, both release candidates will become their respective final versions on Monday, March 1st.

Following that, the last full regular maintenance release of Python 3.8 is planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for early May 2021.

Notable security content in today’s releases

  • bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.

  • bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.2rc1 specifically.

Detailed information about all changes made in version 3.8.8rc1 specifically can be found in its change log.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv

Monday, February 15, 2021

Python 3.7.10 and 3.6.13 security updates now available

 Python 3.7.10 and 3.6.13,  the lastest security fix rollups for Python 3.7 and Python 3.6, are now available. You can find the release files, links to the changelogs, and more information here:

    https://www.python.org/downloads/release/python-3710/
    https://www.python.org/downloads/release/python-3613/
  
These releases are source code only; Windows and macOS binary installers are not provided for security fix releases.

Note that Python 3.9 is now the latest feature release series of Python 3. You should consider upgrading to 3.9 as soon as practical. Get the latest release of 3.9.x here.

Thanks to all of the many volunteers who help make Python Development and these releases possible!  Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.