Tuesday, April 6, 2021

Python 3.10.0a7 is now available for testing

Brrrrr… do you feel that? That’s the chill of beta freeze coming closer. Meanwhile, your friendly CPython release team doesn’t rest even on holidays and we have prepared a shiny new release for you: Python 3.10.0a7.

Get the new release here:

https://www.python.org/downloads/release/python-3100a7/

Python 3.10.0a7

Release Date: April 5, 2021

This is an early developer preview of Python 3.10

Major new features of the 3.10 series, compared to 3.9

Python 3.10 is still in development. This release, 3.10.0a7 is the last of seven planned alpha releases. Alpha releases are intended to make it easier to test the current state of new features and bug fixes and to test the release process. During the alpha phase, features may be added up until the start of the beta phase (2021-05-03) and, if necessary, may be modified or deleted up until the release candidate phase (2021-10-04). Please keep in mind that this is a preview release and its use is not recommended for production environments.

Many new features for Python 3.10 are still being planned and written. Among the new major new features and changes so far:

  • PEP 623 – Deprecate and prepare for the removal of the wstr member in PyUnicodeObject.
  • PEP 604 – Allow writing union types as X | Y
  • PEP 612 – Parameter Specification Variables
  • PEP 626 – Precise line numbers for debugging and other tools.
  • bpo-38605from __future__ import annotations (PEP 563) is now the default.
  • PEP 618 – Add Optional Length-Checking To zip.
  • bpo-12782: Parenthesized context managers are now officially allowed.
  • PEP 632 – Deprecate distutils module.
  • PEP 613 – Explicit Type Aliases
  • PEP 634 – Structural Pattern Matching: Specification
  • PEP 635 – Structural Pattern Matching: Motivation and Rationale
  • PEP 636 – Structural Pattern Matching: Tutorial
  • PEP 644 – Require OpenSSL 1.1.1 or newer
  • PEP 624 – Remove Py_UNICODE encoder APIs
  • PEP 597 – Add optional EncodingWarning
  • (Hey, fellow core developer, if a feature you find important is missing from this list, let Pablo know.)

The next pre-release of Python 3.10 will be 3.10.0b1 ( the first beta release and feature freeze ), currently scheduled for Monday, 2021-05-03.

More resources

And now for something completely different

In physics, the twin paradox is a thought experiment in special relativity involving identical twins, one of whom makes a journey into space in a high-speed rocket and returns home to find that the twin who remained on Earth has aged more. This result appears puzzling because each twin sees the other twin as moving, and so, as a consequence of an incorrect and naive application of time dilation and the principle of relativity, each should paradoxically find the other to have aged less. However, this scenario can be resolved by realising that the travelling twin is undergoing acceleration, which makes him a non-inertial observer. In both views, there is no symmetry between the spacetime paths of the twins. Therefore, the twin paradox is not a paradox in the sense of a logical contradiction.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Pablo Galindo Salgado @pablogsal
Ned Deily @nad
Steve Dower @steve.dower

Sunday, April 4, 2021

Python 3.9.4 hotfix is now available

Python 3.9.3 was released two days ago on Friday, April 2nd. It contains important security content listed below for reference. Unfortunately, it also introduced an unintentional ABI incompatibility, making some C extensions built with Python 3.9.0 - 3.9.2 crash with Python 3.9.3 on 32-bit systems. To minimize disruption, I decided to recall 3.9.3 and introduce this hotfix release: 3.9.4.

We highly recommend upgrading your Python 3.9 installations to 3.9.4 at your earliest convenience.

Get it here:

https://www.python.org/downloads/release/python-394/

What is “ABI compatibility”?

Python guarantees that within a given language series (like the current 3.9) binary extensions written in C or C++ and compiled against headers of one release (like 3.9.0) will be importable from other versions in the same series (like 3.9.3). If this weren’t the case, library authors would have to ship separate binary wheels on PyPI for every single bugfix release of Python. That would be very inconvenient.

What broke in Python 3.9.3?

In a fix for a corner-case crash around recursion limits and exceptions, the PyThreadState struct needed to change. While PyThreadState’s only documented public member is the *interp field, it’s not uncommon for C extensions to access other fields in this struct as well.

When I approved the backport of this fix, I missed the fact that the variable size change would change the memory layout of said struct on 32-bit systems (on 64-bit systems alignment rules made the size change backwards compatible). Merging the backport was a mistake, and so 3.9.4 reverts it to restore compatibility with binary extensions built against Python 3.9.0 - 3.9.2. Details in bpo-43710.

Security Content in Python 3.9.3

  • bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it’s been upgraded to 1.1.1k in CI, and macOS and Windows installers.
  • bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
  • bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
  • bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

Release Calendar

Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.5 planned for May 3rd 2021 as well.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 ” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.3 specifically.

Detailed information about all changes made in version 3.8.9 can be found in its respective changelog.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Łukasz Langa @ambv
Ned Deily @nad
Steve Dower @steve.dower
 

Friday, April 2, 2021

Python 3.9.3 and 3.8.9 are now available

Those are expedited security releases, recommended to all users. Get them here:

https://www.python.org/downloads/release/python-389/

Note: 3.9.3 has been recalled due to introducing unintentional ABI incompatibility. Download 3.9.4 instead: https://www.python.org/downloads/release/python-394/.

Security Content

  • bpo-43631: high-severity CVE-2021-3449 and CVE-2021-3450 were published for OpenSSL, it’s been upgraded to 1.1.1k in CI, and macOS and Windows installers.
  • bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
  • bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
  • bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

Release Calendar

Due to the security fixes, those releases are made a month sooner than planned. I decided to keep the release calendar intact, meaning that the last full regular maintenance release of Python 3.8 is still planned for May 3rd 2021, after which it will shift to source releases only for security bug fixes only. Maintenance releases for the 3.9 series will continue at regular bi-monthly intervals, with 3.9.3 planned for May 3rd 2021 as well.

What’s new?

The Python 3.9 series contains many new features and optimizations over 3.8. See the “What’s New in Python 3.9 ” document for more information about features included in the 3.9 series. We also have a detailed change log for 3.9.3 specifically.

Detailed information about all changes made in version 3.8.9 can be found in its respective changelog.

We hope you enjoy those new releases!

Thanks to all of the many volunteers who help make Python Development and these releases possible! Please consider supporting our efforts by volunteering yourself or through organization contributions to the Python Software Foundation.

Your friendly release team,
Ned Deily @nad
Steve Dower @steve.dower
Łukasz Langa @ambv