python v3.10.7 #579
python v3.10.7 #579
Conversation
…nda-forge-pinning 2022.09.04.15.41.14
regro-cf-autotick-bot
requested review from
isuruf,
jakirkham,
katietz,
mbargull,
mingwandroid,
msarahan,
ocefpaf,
pelson,
scopatz and
xhochy
as code owners
|
Hi! This is the friendly automated conda-forge-linting service. I just wanted to let you know that I linted all conda-recipes in your PR ( |
|
Is there a reason not to merge this? Since 3.10.7 addresses a CVE, I think it would be good to make it available on conda-forge. I am not sure about the C++ compiler change, but otherwise it looks like a straightforward update. |
|
@isuruf Can you leave a comment here why this is in draft? Looks good to me otherwise. |
|
There are lots of issues with that release/CVE. It breaks a few software in a patch release. See https://discuss.python.org/t/int-str-conversions-broken-in-latest-python-bugfix-releases/18889 |
|
Hmm, that is an interesting discussion, but what is the outlook? It seems like the core developers are standing by the decision and not reverting it. So is the decision here to delay the new release to give other projects more time to adapt? Since conda-forge skews more heavily toward data science, that makes some sense. |
Not really. See https://discuss.python.org/t/int-str-conversions-broken-in-latest-python-bugfix-releases/18889/93 I'm just going to wait to see how the discussion pans out. |
Okay, I should have written more specifically "the steering council and security response team are standing by the decision..." instead of "core developers" 🙂 In any case, it will be interesting to follow the discussion. It sounds like it is not impossible a more efficient algorithm could be added. |
|
@isuruf thanks for halting this That thread looks like something from the Julia discourse page now lol |
|
I came to this feedstock to open an issue about this, but saw that this discussion is already happening. Glad to see I'm not alone in considering this quite egregious breakage, made worse by the sort of circling the wagons that declares this decision beyond discussion. Since it seems like it'll take a while for these things to work themselves through, I don't think we should necessarily stop publishing patch version updates -- though I would lend my support to an effort that reverts or adapts this "fix" in our branches, if that's a decision that conda-forge/core wants to take. This would need fairly broad support though, because it's likely going to be confrontational (judging from the interactions in that thread), and substantial enough that it would IMO need something like a blogpost & announcement on the python discourse. |
|
I agree about not blocking patch releases. In my case, I don't work with large integers and I don't work with web services, so the security patch does not affect me directly. However, it does affect me indirectly because I like to use conda at work and, because of the CVE, 3.10.6 is flagged as insecure. While I could try to argue the CVE is irrelevant, I took the easier route of uploading the build artifacts from this PR to my own conda channel and installing 3.10.7 that way. Other people could be in the same position where it is hard to convey the nuance of the situation to a security team and it just looks like conda-forge is blocking security updates (possibly putting more pressure on people to install Python from a different channel). I don't know how big of integers people work with. Maybe the length limit on integers could be set to a higher default value here? |
|
@isuruf there is a new release; what are your thoughts now? It looks like the ship has defo sailed ahead on this one... @h-vetinari what is your recommendation here? copying @conda-forge/core for visibility |
|
xref: #587 |
Thanks for asking but it's not up to me. I tried to bring the topic up in a core meeting ~3 weeks ago, but that meeting ran out of time and we didn't get to it. A week ago I couldn't join the core meeting, I don't know if it was discussed. I think it needs a broader alignment within core, because the choices are all bad and controversial whichever way one slices it. |
There was a problem hiding this comment.
Personally, I don't find upstream's decision, process of decision making, and the handling afterwards really defensible due to several reasons that have already been voiced. I would disable the limit with a simple/maintainable patch for the patch releases (i.e., <3.11).
However, I'm leaving this as a "neutral" comment since it's not important enough for me to put in effort arguing for that.
That said, we seem to have reached a clear majority. When do we proceed with this and get the patch releases out? I suppose tomorrow, i.e., after the usual 7 days.
|
We need to consult our voting rules and ensure this vote has passed according to the rules. I will leave that task to @jaimergp since he called the vote. |
|
We don't have quorum yet. We need 13 votes, but we have only 11 yet (9 yes, 1 no, 1 abstain). After the vote (assuming no patches) we need to figure out more things.
If we had 2 more votes, then we can decide on these at tomorrow's meeting. |
|
Let's kindly ping the team again for awareness :) @conda-forge/core, see message here: #579 (comment) |
|
We have reached quorum! I'll add this to today's meeting notes. |
|
Anaconda's position on releasing Python 3.10.7, 3.9.14, 3.8.14, and 3.7.14:
|
|
@conda-forge/python - this is scheduled for release on Nov 11th or later, but if there are any items to review here, we can start now. Thanks! |
|
Should we re-render or restart CI to make sure the status here is fresh? (same question for other |
|
Timezones and all that, but as of writing, it looks like anaconda has not yet shipped either of: |
Yes, and we'll move forward with this shortly, but all in its due time.
If one needs a more concrete time frame: I expect it to happen this month. 😼 |
|
@conda-forge-admin, please rerender |
…nda-forge-pinning 2022.11.15.11.53.06
|
FWIW it looks like Anaconda shipped these (in particular here's 3.10.8). Though recognize we are doing That said, what are people's thoughts on doing this soonish? Maybe tomorrow or early next week? Depending on how |
|
@conda-forge-admin, please rerender |
…nda-forge-pinning 2022.11.21.08.56.08
Yes :). |
|
Thanks Marcel! 🙏 |
20 participants
It is very likely that the current package version for this feedstock is out of date.
Checklist before merging this PR:
license_fileis packagedInformation about this PR:
@conda-forge-admin,please add bot automergein the title and merge the resulting PR. This command will add our bot automerge feature to your feedstock.bot-rerunlabel to this PR. The bot will close this PR and schedule another one. If you do not have permissions to add this label, you can use the phrase@conda-forge-admin, please rerun botin a PR comment to have theconda-forge-adminadd it for you.Pending Dependency Version Updates
Here is a list of all the pending dependency version updates for this repo. Please double check all dependencies before merging.
Dependency Analysis
Please note that this analysis is highly experimental. The aim here is to make maintenance easier by inspecting the package's dependencies. Importantly this analysis does not support optional dependencies, please double check those before making changes. If you do not want hinting of this kind ever please add
bot: inspection: falseto yourconda-forge.yml. If you encounter issues with this feature please ping the bot teamconda-forge/bot.Analysis by source code inspection shows a discrepancy between it and the the package's stated requirements in the meta.yaml.
Packages found by source code inspection but not in the meta.yaml:
This PR was created by the regro-cf-autotick-bot. The regro-cf-autotick-bot is a service to automatically track the dependency graph, migrate packages, and propose package version updates for conda-forge. Feel free to drop us a line if there are any issues! This PR was generated by https://github.com/regro/autotick-bot/actions/runs/2995286395, please use this URL for debugging.