Friday, February 19, 2021

Python 3.9.2 and 3.8.8 are now available

Convinced of the wonders of free two-day deliveries, I’m pleased to present you Python 3.9.2 and 3.8.8. Get them from:



Next up, the last full regular maintenance release of Python 3.8 is planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for early May 2021.

Why the expedited final release?

This release, just as the candidate before it, contains two security fixes:

  • bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values. This issue was assigned CVE-2021-3177.

  • bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator. This issue was assigned CVE-2021-23336.

Since the announcement of the release candidates for 3.9.2 on 3.8.8, we received a number of inquiries from end users urging us to expedite the final releases due to the security content, especially CVE-2021-3177.

This took us somewhat by surprise since we believed security content is cherry-picked by downstream distributors from source either way, and the RC releases provide installers for everybody else interested in upgrading in the meantime. It turns out that release candidates are mostly invisible to the community and in many cases cannot be used due to upgrade processes which users have in place.

In turn, the other active release managers and I decided to stop providing release candidates for bugfix versions. Starting from now on after the initial 3.x.0 final release, all subsequent releases are going to be provided as is in bi-monthly intervals. The release calendar PEPs for 3.8 and 3.9 have been updated accordingly.

On the severity of CVE-2021-3177

We recommend you upgrade your systems to Python 3.8.8 or 3.9.2.

Our understanding is that while the CVE is listed as “remote code execution”, practical exploits of this vulnerability as such are very unlikely due the following conditions needing to be met for successful RCE:

  • pass an untrusted floating point number from a remote party to ctypes.c_double.from_param (note: Python floating point numbers were not affected);

  • have that object be passed to repr() (for instance through logging);

  • have that float point number be valid machine code;

  • have the buffer overflow overwrite the stack at exactly the right place for the code to get executed.

In fact, Red Hat’s evaluation of the vulnerability was consistent with ours. They write: “the highest threat from this vulnerability is to system availability.”

To be sure, denial of service through malicious input is also a serious issue. Thus, to help the community members for whom the release candidate was insufficient, we are releasing the final versions of 3.9.2 and 3.8.8 today.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 2” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.2rc1 specifically. The final release only contains a single bugfix over the release candidate.

Detailed information about all changes made in version 3.8.8rc1 specifically can be found in its respective changelog. The final version contains no changes over the release candidate.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv

Wednesday, February 17, 2021

Python 3.9.2rc1 and 3.8.8rc1 are now available for testing

I’m happy to announce two release candidates today: Python 3.9.2rc1, and Python 3.8.8rc1. Get them from:



Unless critical issues are discovered, both release candidates will become their respective final versions on Monday, March 1st.

Following that, the last full regular maintenance release of Python 3.8 is planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for early May 2021.

Notable security content in today’s releases

  • bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.

  • bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.2rc1 specifically.

Detailed information about all changes made in version 3.8.8rc1 specifically can be found in its change log.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv

Monday, February 15, 2021

Python 3.7.10 and 3.6.13 security updates now available

 Python 3.7.10 and 3.6.13,  the lastest security fix rollups for Python 3.7 and Python 3.6, are now available. You can find the release files, links to the changelogs, and more information here:

    https://www.python.org/downloads/release/python-3710/
    https://www.python.org/downloads/release/python-3613/
  
These releases are source code only; Windows and macOS binary installers are not provided for security fix releases.

Note that Python 3.9 is now the latest feature release series of Python 3. You should consider upgrading to 3.9 as soon as practical. Get the latest release of 3.9.x here.

Thanks to all of the many volunteers who help make Python Development and these releases possible!  Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Wednesday, February 3, 2021

Python 3.10.0a5 is now available for testing

Well, this one took a bit more time due to some surprise last time reference leaks and release blockers to fix, but now Python 3.10.0a5 it’s here. Will this be the first release announcement of the 3.10 series without copy-paste typos? Go get it here:

https://www.python.org/downloads/release/python-3100a5/

This is an early developer preview of Python 3.10

Major new features of the 3.10 series, compared to 3.9

Python 3.10 is still in development. This release, 3.10.0a5 is the fifth of seven planned alpha releases. Alpha releases are intended to make it easier to test the current state of new features and bug fixes and to test the release process. During the alpha phase, features may be added up until the start of the beta phase (2021-05-03) and, if necessary, may be modified or deleted up until the release candidate phase (2021-10-04). Please keep in mind that this is a preview release and its use is not recommended for production environments.

Many new features for Python 3.10 are still being planned and written. Among the new major
new features and changes so far:

  • PEP 623 – Remove wstr from Unicode

  • PEP 604 – Allow writing union types as X | Y

  • PEP 612 – Parameter Specification Variables

  • PEP 626 – Precise line numbers for debugging and other tools.

  • bpo-38605from __future__ import annotations (PEP 563) is now the default.

  • PEP 618 – Add Optional Length-Checking To zip.

  • bpo-12782: Parenthesized context managers are now officially allowed.

    (Hey, fellow core developer, if a feature you find important is missing from this list, let Pablo know.)

The next pre-release of Python 3.10 will be 3.10.0a6, currently scheduled for 2021-03-01.

More resources

And now for something completely different

The Chandrasekhar limit is the maximum mass of a stable white dwarf star. White dwarfs resist gravitational collapse primarily through electron degeneracy pressure, compared to main sequence stars, which resist collapse through thermal pressure. The Chandrasekhar limit is the mass above which electron degeneracy pressure in the star's core is insufficient to balance the star's own gravitational self-attraction. Consequently, a white dwarf with a mass greater than the limit is subject to further gravitational collapse, evolving into a different type of stellar remnant, such as a neutron star or black hole. Those with masses up to the limit remain stable as white dwarfs. The currently accepted value of the Chandrasekhar limit is about 1.4 M☉ (2.765×1030 kg). So we can be safe knowing that our sun is not going to become a black hole!

Monday, January 4, 2021

Python 3.10.0a4 is now available for testing

 Happy new year to all of you. I hope you all have a great start of the year! And how to best celebrate that we have left 2020 behind that with a new Python alpha release? :) Go get it here:

https://www.python.org/downloads/release/python-3100a4/

This is an early developer preview of Python 3.10

Major new features of the 3.10 series, compared to 3.9

Python 3.10 is still in development. This releasee, 3.10.0a4 is the second of six planned alpha releases.
Alpha releases are intended to make it easier to test the current state of new features and bug fixes and to test the release process.
During the alpha phase, features may be added up until the start of the beta phase (2021-05-03) and, if necessary, may be modified or deleted up until the release candidate phase (2021-10-04). Please keep in mind that this is a preview release and its use is not recommended for production environments.

Many new features for Python 3.10 are still being planned and written. Among the new major
new features and changes so far:

  • PEP 623 – Remove wstr from Unicode

  • PEP 604 – Allow writing union types as X | Y

  • PEP 612 – Parameter Specification Variables

  • PEP 626 – Precise line numbers for debugging and other tools.

  • bpo-38605from __future__ import annotations (PEP 563) is now the default.

  • PEP 618 – Add Optional Length-Checking To zip.

  • (Hey, fellow core developer, if a feature you find important is missing from this list, let Pablo know.)

The next pre-release of Python 3.10 will be 3.10.0a5, currently scheduled for 2021-02-01.

More resources

And now for something completely different

The Majumdar–Papapetrou spacetime is one surprising solution of the coupled Einstein-Maxwell equations that describe a cluster of static charged black holes with the gravitational and the electrostatic forces cancelling each other out. Each one of these many black holes of the multi-black holes system has a spherical topology and follows the Reissner–Nordström metric. Unsurprisingly, the movement of a test particle in such spacetime is not only a very chaotic system but also has some fractals hiding the complexity of its movement.

Monday, December 21, 2020

Python 3.8.7 is now available

Python 3.8.7 is the seventh maintenance release of Python 3.8. Go get it here:

https://www.python.org/downloads/release/python-387/

Note: this is a bugfix release for the 3.8 series which was superseded by Python 3.9, currently the latest feature release series of Python 3. You can find the latest release of 3.9.x here.

Maintenance releases for the 3.8 series will continue at regular bi-monthly intervals, with 3.8.8 planned for February 2021.

macOS 11 Big Sur not fully supported

Python 3.8.7 is not yet fully supported on macOS 11 Big Sur. It will install on macOS 11 Big Sur and will run on Apple Silicon Macs using Rosetta 2 translation. However, a few features do not work correctly, most noticeably those involving searching for system libraries (vs user libraries) such as ctypes.util.find_library() and in Distutils. This limitation affects both Apple Silicon and Intel processors. We are looking into improving the situation for Python 3.8.8.

Python 3.9.1 provides full support for Big Sur and Apple Silicon Macs, including building natively on Apple Silicon Macs and support for universal2 binaries.

What’s new?

The Python 3.8 series contains many new features and optimizations over 3.7. See the “What’s New in Python 3.8” document for more information about features included in the 3.8 series.

Detailed information about all changes made in version 3.8.7 specifically can be found in its change log. Note that compared to 3.8.6 this release also contains all changes present in 3.8.7rc1.

We hope you enjoy Python 3.8!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv

Monday, December 7, 2020

Python 3.9.1 is now available, together with 3.10.0a3 and 3.8.7rc1

It’s starting to get very cold (at least on the Northern hemisphere) so we have been carefully packaging a total of three new Python releases to keep you warm these days!

Python 3.9.1

Python 3.9.1 is the first maintenance release of Python 3.9, and also the first version of Python to support macOS 11 Big Sur natively on Apple Silicon. Go get it here.

Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.2 planned for Monday, 2021-02-08.

Python 3.10.0a3

Python 3.10a3 is the third alpha release of Python 3.10. You can get it here:

Python 3.8.7rc1

Python 3.8.7rc1 is the release preview of the next maintenance release of Python 3.8. You can get it here.

Assuming no critical problems are found prior to 2020-12-21 , the currently scheduled release date for 3.8.7 , no code changes are planned between this release candidate and the final release. That being said, please keep in mind that this is a pre-release of 3.8.7 and as such its main purpose is testing.

And now for something completely different

In mathematics, a Borwein integral is an integral whose unusual properties were first presented by mathematicians David Borwein and Jonathan Borwein in 2001. These integrals are remarkable for exhibiting apparent patterns that eventually break down. The following is an example:

Borwein

This pattern continues up to

Borwein

At the next step the obvious pattern fails,

Borwein

Your friendly release team,

Ned Deily 
Steve Dower 
Pablo Galindo 
Łukasz Langa