Py Day is coming: a joint security release spree for Python 3.7, 3.8, 3.9, and 3.10 on March 14th

Hi there,
we have some security content that built up to a need to release all versions of Python pretty soon. The Release Managers decided to perform all of them in one go on March 14th. We have a few things to ask you.

  1. Please keep buildbots green this week across the board. There’s quite a few people involved in the releases on Mar 14th. We’d like to avoid last-minute fixes or deadline slippage.

  2. A few of the security-related updates are still in flight, please help if you can:

  3. If you have any other security-related changes you’d like to see released next week, the time is now to land them in the relevant branches.

Cheers,
Your Friendly RMs

12 Likes

If you’re wondering what happened to this, we’re still at it. There were a few hiccups:

  1. OpenSSL announced a high-priority fix for March 15th, and we had no choice other than to wait for it.
  2. After the OpenSSL release went live today at 5pm CET, we started doing the four releases. Tags for installer-free releases (v3.7.13 and v3.8.13) were pushed to python/cpython. By mistake I also pushed the v3.9.11 tag early (git push --tags pushes all of them).
  3. Late in the process we discovered a compile error while building the Windows installer, introduced in the fix for BPO-46948. It affects all four releases.
  4. We decided to redo them after including the fix, as the Windows installer is one of the security fixes in each of those releases.
  5. I removed the already built artifacts as well as deleted the three tags mentioned above that were briefly in the python/cpython repo.

We will be restarting the releases in around 12 hours. The only difference will be the compilation error fix for the Windows installer. If you already built an upstream package off one of the stale tags, the purest option is to redo it tomorrow.

We are sorry for the inconvenience.

3 Likes