Is there some reason that recent Windows 3.6 releases don't included executable nor msi installers?

Terry Reedy tjreedy at udel.edu
Thu May 28 20:51:59 EDT 2020 

On 5/28/2020 5:20 PM, Peter J. Holzer wrote:
> On 2020-05-23 13:22:26 -0600, Mats Wichmann wrote:
>> On 5/23/20 12:23 AM, Adam Preble wrote:
>>> I wanted to update from 3.6.8 on Windows without necessarily moving
>>> on to 3.7+ (yet), so I thought I'd try 3.6.9 or 3.6.10.
>>>
>>> All I see for both are source archives:

>> During the early part of a release cycle, installers are built.

Only for Windows and now for macOS.  Python.org only ever distributes 
source archives for *nix.  Distributors can add binaries to their 
package system.

>>  Once
>> the cycle moves into security fix-only mode, installers are not built.

We continue to apply security fixes for the benefit of server operators 
who are slow to upgrade and who want minimal change -- only those that 
they really need.  We make security-fix releases primarily for the 
benefit of *nix distributors who want to update their x.y package, but 
not for every x.y commit.  It also give a periodic new name for Python 
x.y with a new batch of fixes.

> This seems a rather odd policy to me.

Not if one considers the intended users.
Do you prefer we not make these releases?

Anyone running servers on Windows should have Visual Studio and git 
installed as they should be able to compile their own binaries.  Anyone 
with control of their machine (so that they can download and install 
things) can install VS and git with the instructions in 
devguide.python.org. At that point, clone python/cpython and run 
PCbuild\build.bat -e (to build external dependencies) and maybe add 
other options, and python(_d).exe will appear in PCbuild\win32.

> Distributing a security fix in
> source-only form will prevent many people from applying it (especially
> on Windows).

Nearly all bug fixes considered to be security risk fixes are first 
applied to master (the 'next' version), then maintenance versions, which 
do get installers, and only then to old security-fix versions.  The 
latter take extra effort as they are less likely to automatically 
backport, and on Windows, older versions run on more Windows versions.

The OP is so far choosing to not use an installer with those fixes.  By 
not doing so, he is missing out on the maybe 2000 non-security fixes and 
some enhancements that likely would benefit him more than maybe 50 
mostly obscure fixes added between 3.6.8 and 3.6.10*.  If a rare user 
such as Adam also chooses to not compile the latter, that is his choice.

*In the last 12 months, the ratio of fixed security issues to all fixed 
issues is 51/2087 = 2.4%, and for 5 years, 112/7825 = 1.4%.  There are 
68 open security issues, some of which will be closed other than as 'fixed'.

Source only releases only block Windows/Mac users who choose not to 
upgrade to a released installer and who cannot or choose not to compile.

-- 
Terry Jan Reedy

More information about the Python-list mailing list