[Python-Dev] [WARNING] Some users who downloaded the Python 3.5.8 .xz tarball got the wrong version

Michael aixtools at felt.demon.nl
Thu Oct 31 08:30:46 EDT 2019 

On 31/10/2019 00:17, Larry Hastings wrote:
>
>
> Due to awkward CDN caching, some users who downloaded the source code
> tarballs of Python 3.5.8 got a preliminary version instead of the
> final version.  As best as we can tell, this only affects the .xz
> release; there are no known instances of users downloading an
> incorrect version of the .tgz file.
>
> If you downloaded "Python-3.5.8.tar.xz" during the first twelve hours
> of its release, you might be affected.  It's easy to determine this
> for yourself.  The file size (15,382,140 bytes) and MD5 checksum
> (4464517ed6044bca4fc78ea9ed086c36) published on the release page have
> always matched the correct version.  Also, the GPG signature file will
> only report a "Good signature" for the correct .xz file (using "gpg
> --verify").
>
> What's the difference between the two?  The only difference is that
> the final version also merges a fix for Python issue tracker #38243:
>
>     https://bugs.python.org/issue38243
>
> The fix adds a call to "html.escape" at a judicious spot, line 896 in
> Lib/xmlrpc/server.py.  The only other changes are one new test, to
> ensure this new code is working, and an entry in the NEWS file.  You
> can see the complete list of changes here:
>
>     https://github.com/python/cpython/pull/16516/files
>
> What should you do?  It's up to you.
>
>   * If you and your users aren't using the XMLRPC library built in to
>     Python, you don't need to worry about which version of 3.5.8 you
>     downloaded.
>   * If you downloaded the .tgz tarball or the Git repo, you already
>     have the correct version.
>   * If you downloaded the xz file and want to make sure you have the
>     fix, check the MD5 sum, and if it's wrong download a fresh copy
>     (and make sure that one matches the known good MD5 sum!).
>
> To smooth over this whole sordid mess, I plan to make a 3.5.9 release
> in the next day or so.  It'll be identical to the 3.5.8 release; its
> only purpose is to ensure that all users have the same updated source
> code, including the fix for #38243.
>
>
> Sorry for the mess, everybody,
>
a) "Congratulations" on the 3.5.8 release

b) excellent solution - to up the release number!

c) Thanks!!

>
> //arry/
>
>
> _______________________________________________
> Python-Dev mailing list -- python-dev at python.org
> To unsubscribe send an email to python-dev-leave at python.org
> https://mail.python.org/mailman3/lists/python-dev.python.org/
> Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/OYNQS2BZYABXACBRHBHV4RCEPQU5R6EP/
> Code of Conduct: http://python.org/psf/codeofconduct/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/python-list/attachments/20191031/89c842f4/attachment.sig>

More information about the Python-list mailing list