Is there some reason that recent Windows 3.6 releases don't included executable nor msi installers?

[Mike Dewhirst]

On 29/05/2020 10:51 am, Terry Reedy wrote:
> On 5/28/2020 5:20 PM, Peter J. Holzer wrote:
>> On 2020-05-23 13:22:26 -0600, Mats Wichmann wrote:
>>> On 5/23/20 12:23 AM, Adam Preble wrote:
>>>> I wanted to update from 3.6.8 on Windows without necessarily moving
>>>> on to 3.7+ (yet), so I thought I'd try 3.6.9 or 3.6.10.
>>>>
>>>> All I see for both are source archives:
>
>>> During the early part of a release cycle, installers are built.
>
> Only for Windows and now for macOS.  Python.org only ever distributes 
> source archives for *nix.  Distributors can add binaries to their 
> package system.
>
>>>  Once
>>> the cycle moves into security fix-only mode, installers are not built.
>
> We continue to apply security fixes for the benefit of server 
> operators who are slow to upgrade and who want minimal change -- only 
> those that they really need.  We make security-fix releases primarily 
> for the benefit of *nix distributors who want to update their x.y 
> package, but not for every x.y commit.  It also give a periodic new 
> name for Python x.y with a new batch of fixes.
>
>> This seems a rather odd policy to me.
>
> Not if one considers the intended users.
> Do you prefer we not make these releases?
>
> Anyone running servers on Windows should have Visual Studio and git 
> installed as they should be able to compile their own binaries.  
> Anyone with control of their machine (so that they can download and 
> install things) can install VS and git with the instructions in 
> devguide.python.org. At that point, clone python/cpython and run 
> PCbuild\build.bat -e (to build external dependencies) and maybe add 
> other options, and python(_d).exe will appear in PCbuild\win32.
>
>> Distributing a security fix in
>> source-only form will prevent many people from applying it (especially
>> on Windows).
>
> Nearly all bug fixes considered to be security risk fixes are first 
> applied to master (the 'next' version), then maintenance versions, 
> which do get installers, and only then to old security-fix versions.  
> The latter take extra effort as they are less likely to automatically 
> backport, and on Windows, older versions run on more Windows versions.
>
> The OP is so far choosing to not use an installer with those fixes.  
> By not doing so, he is missing out on the maybe 2000 non-security 
> fixes and some enhancements that likely would benefit him more than 
> maybe 50 mostly obscure fixes added between 3.6.8 and 3.6.10*.  If a 
> rare user such as Adam also chooses to not compile the latter, that is 
> his choice.
>
> *In the last 12 months, the ratio of fixed security issues to all 
> fixed issues is 51/2087 = 2.4%, and for 5 years, 112/7825 = 1.4%. 
> There are 68 open security issues, some of which will be closed other 
> than as 'fixed'.
>
> Source only releases only block Windows/Mac users who choose not to 
> upgrade to a released installer and who cannot or choose not to compile.

I am an example

I installed all the Pythons on my Windows 10 dev machine (locked into 
Windows by having clients) but I'm also locked into Python 3.6.9 on my 
Ubuntu 18.04 production machines.

After chasing down an obscure problem I decided to go back to Py36 on 
Windows to be using the same versions in dev as in prd. I couldn't find 
an installer on python.org so I retrieved one (3.6.5) from my archives.

I choose to avoid Visual Studio and I won't bother with cygwin any more 
after some pain a decade or so ago. Therefore I choose not to compile.

For me it won't be long before I can upgrade my production machines to 
20.04 and whatever Python3 comes with that and all will be well.

If I was asked to suggest a guide for which versions ought to get a 
Windows binary I would look at the most popular LTS *nix distros and 
keep Windows binaries in step just to support people like me who cannot 
live with too much Windows clutter. Think of it as deeply humanitarian 
generosity.

Honestly, if you let it, Windows just absolutely knows what you really 
meant despite what you tell it. It is a necessary evil when your clients 
use it.

Cheers

Mike