[RELEASE] Python 3.10.14, 3.9.19, and 3.8.19 is now available

2024-03-19 Thread Łukasz Langa via Python-list 
Howdy!
Those are the boring security releases that aren’t supposed to bring anything 
new. But not this time! We do have a bit of news, actually. But first things 
first: go update your systems!

 
Python
 3.10.14

Get it here: Python Release Python 3.10.14 

26 commits since last release.

 
Python
 3.9.19

Get it here: Python Release Python 3.9.19 

26 commits since last release.

 
Python
 3.8.19

Get it here: Python Release Python 3.8.19 

28 commits since last release.

 
Security
 content in this release

gh-115399  & gh-115398 
: bundled libexpat was updated 
to 2.6.0 to address CVE-2023-52425 
, and control of the new 
reparse deferral functionality was exposed with new APIs. Thanks to Sebastian 
Pipping, the maintainer of libexpat, who worked with us directly on 
incorporating those fixes!
gh-109858 : zipfile is now 
protected from the “quoted-overlap” zipbomb to address CVE-2024-0450 
. It now raises BadZipFile when 
attempting to read an entry that overlaps with another entry or central 
directory
gh-91133 : 
tempfile.TemporaryDirectory cleanup no longer dereferences symlinks when 
working around file system permission errors to address CVE-2023-6597 

gh-115197 : urllib.request no 
longer resolves the hostname before checking it against the system’s proxy 
bypass list on macOS and Windows
gh-81194 : a crash in 
socket.if_indextoname() with a specific value (UINT_MAX) was fixed. Relatedly, 
an integer overflow in socket.if_indextoname() on 64-bit non-Windows platforms 
was fixed
gh-113659 : .pth files with 
names starting with a dot or containing the hidden file attribute are now 
skipped
gh-102388 : iso2022_jp_3 and 
iso2022_jp_2004 codecs no longer read out of bounds
gh-114572 : 
ssl.SSLContext.cert_store_stats() and ssl.SSLContext.get_ca_certs() now 
correctly lock access to the certificate store, when the ssl.SSLContext is 
shared across multiple threads
 
Stay
 safe and upgrade!

Upgrading is highly recommended to all users of affected versions.

 
Source
 builds are moving to GitHub Actions

It’s not something you will notice when downloading, but 3.10.14 here is the 
first release we’ve done were the source artifacts were built on GHA 
 and not on a 
local computer of one of the release managers. We have the Security Developer 
in Residence @sethmlarson  to thank 
for that!

It’s a big deal since public builds allow for easier auditing and 
repeatability. It also helps with the so-called bus factor. In fact, to test 
this out, this build of 3.10.14 was triggered by me and not Pablo, who would 
usually release Python 3.10.

The artifacts are later still signed by the respective release manager, 
ensuring integrity when put on the downloads server.

 
Python
 now manages its own CVEs

The security releases you’re looking at are the first after the PSF became a 
CVE Numbering Authority 
.
 That’s also thanks to @sethmlarson . 
What being our own CNA allows us to ensure the quality of the vulnerability 
reports is high, and the severity estimate is accurate. Seth summarized it best 
in his announcement here 
.

What

Re: Configuring an object via a dictionary

2024-03-19 Thread Pokemon Chw via Python-list 
It's too complicated, there's no need for this
def __init__(self, config):

self.__dict__ = config
self.connection = None
"""
other code .
"""
Note that you need to keep the fields in the config dict named the same as
the fields you want to be assigned to in your class

Loris Bennett via Python-list  于2024年3月19日周二
01:39写道:

> Tobiah  writes:
>
> > I should mention that I wanted to answer your question,
> > but I wouldn't actually do this.  I'd rather opt for
> > your self.config = config solution.  The config options
> > should have their own namespace.
> >
> > I don't mind at all referencing foo.config['option'],
> > or you could make foo.config an object by itself so
> > you can do foo.config.option.  You'd fill it's attributes
> > in the same way I suggested for your main object.
>
> Thanks for the thoughts.  I'll go for self.config = config after
> all, since, as you say, the clutter caused by the referencing is not
> that significant.
>
> Cheers,
>
> Loris
>
> --
> This signature is currently under constuction.
> --
> https://mail.python.org/mailman/listinfo/python-list
>
-- 
https://mail.python.org/mailman/listinfo/python-list