Python's "Source-only security fix releases" policy - where does it come from?

I have been trying to find in the depths of the internet the discussions which lead to the policy that, once the life cycle of a Python version reached the phase where only security fixes are released, those fixes are released only as source-code. But I cannot come up with search terms which are not too broad to find those very discussions. Can anyone help me?
In my opinion, this is a very strange decision, and I just wanted to find out how it came to be and whether there might be a chance to open this up for discussion again.

Maybe this PEP PEP 602 – Annual Release Cycle for Python | as a starting point

I can’t point to chapter and verse, but I think it boils down to two things. One, core developers and release managers are scarce resources. Doing full releases for old releases would strain those scarce resources. Two, I think it’s expected that old versions are often maintained by other organizations, such as OS vendors (think Ubuntu, Debian, Apple, etc) or third party software organizations (Anaconda, Homebrew, etc). Source distributions are generally enough for them to be about their business.

1 Like

Most Python security issues, such as denial-of-service attacks, only affect servers. CPython Windows and Mac installers are for end-user machines, not for servers. There is little point to upgrading such installations. Most commercial servers run on Linux, and any servers on Windows likely and can easily compile Python with the settings desired for the server.