Python 3.7.4 final
Core and Builtins
bpo-37500: Due to unintended side effects, revert the change introduced by bpo-1875 in 3.7.4rc1 to check for syntax errors in dead conditional code blocks.
Documentation
bpo-37149: Replace the dead link to the Tkinter 8.5 reference by John Shipman, New Mexico Tech, with a link to the archive.org copy.
Python 3.7.4 release candidate 2
Security
bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with additional text after the address and only quad-dotted notation without trailing whitespaces. Some inet_aton() implementations ignore whitespace and all data after whitespace, e.g. ‘127.0.0.1 whatever’.
Core and Builtins
bpo-24214: Improved support of the surrogatepass error handler in the UTF-8 and UTF-16 incremental decoders.
Library
bpo-37440: http.client now enables TLS 1.3 post-handshake authentication for default context or if a cert_file is passed to HTTPSConnection.
bpo-37437: Update vendorized expat version to 2.2.7.
bpo-37428: SSLContext.post_handshake_auth = True no longer sets SSL_VERIFY_POST_HANDSHAKE verify flag for client connections. Although the option is documented as ignored for clients, OpenSSL implicitly enables cert chain validation when the flag is set.
bpo-32627: Fix compile error when _uuid headers conflicting included.
Windows
bpo-37369: Fixes path for sys.executable when running from the Microsoft Store.
bpo-35360: Update Windows builds to use SQLite 3.28.0.
macOS
bpo-34602: Avoid test suite failures on macOS by no longer calling resource.setrlimit to increase the process stack size limit at runtime. The runtime change is no longer needed since the interpreter is being built with a larger default stack size.
Because python won't even try to build it.
You only see nis_failed.so if there is an error building it, when
it wanted to build it, and that should be fixed accordingly.
In a nutshell, if the yp headers are installed, python will build
the nis module, otherwise it won't.
On netbsd systems at least, if you have the yp headers installed and
subsequently re-install over the top with MKYP=no you get into the state
where the headers are installed, but the functions are no longer in libc.
This is an error with *your* system - either rebuild with MKYP=yes OR
remove the yp headers from include/rpc and include/rpcsvc.
Follow on fix for PR pkg/53673.
Match the logic used by setup.py: it looks for two headers in the default
include path. This helps newer glibc linux.
Omit PLIST.dll on python3* because it doesn't appear in the PLIST.
Make PLIST.dll true on all non-IRIX.
tested: NetBSD-current, FreeBSD 11.2, Ubuntu 18.10, CentOS 6.9, Source Mage
From Dr. Thomas Orgis, myself, and with pointers to a change from leot.
PR pkg/53673
Python 3.7.3:
Security
bpo-36216: Changes urlsplit() to raise ValueError when the URL contains characters that decompose under IDNA encoding (NFKC-normalization) into characters that affect how the URL is parsed.
bpo-35746: [CVE-2019-5010] Fix a NULL pointer deref in ssl module. The cert parser did not handle CRL distribution points with empty DP or URI correctly. A malicious or buggy certificate can result into segfault. Vulnerability (TALOS-2018-0758) reported by Colin Read and Nicolas Edet of Cisco.
bpo-35121: Don’t send cookies of domain A without Domain attribute to domain B when domain A is a suffix match of domain B while using a cookiejar with http.cookiejar.DefaultCookiePolicy policy. Patch by Karthikeyan Singaravelan.
Core and Builtins
bpo-35942: The error message emitted when returning invalid types from __fspath__ in interfaces that allow passing PathLike objects has been improved and now it does explain the origin of the error.
bpo-35992: Fix __class_getitem__() not being called on a class with a custom non-subscriptable metaclass.
bpo-35991: Fix a potential double free in Modules/_randommodule.c.
bpo-35961: Fix a crash in slice_richcompare(): use strong references rather than stolen references for the two temporary internal tuples.
bpo-31506: Clarify the errors reported when object.__new__ and object.__init__ receive more than one argument. Contributed by Sanyam Khurana.
bpo-35720: Fixed a minor memory leak in pymain_parse_cmdline_impl function in Modules/main.c
bpo-35623: Fix a crash when sorting very long lists. Patch by Stephan Hohe.
bpo-35214: clang Memory Sanitizer build instrumentation was added to work around false positives from posix, socket, time, test_io, and test_faulthandler.
bpo-35560: Fix an assertion error in format() in debug build for floating point formatting with “n” format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan.
bpo-35552: Format characters %s and %V in PyUnicode_FromFormat() and %s in PyBytes_FromFormat() no longer read memory past the limit if precision is specified.
bpo-35504: Fix segfaults and SystemErrors when deleting certain attributes. Patch by Zackery Spytz.
bpo-33989: Fix a possible crash in list.sort() when sorting objects with ob_type->tp_richcompare == NULL. Patch by Zackery Spytz.
Library
bpo-35931: The pdb debug command now gracefully handles all exceptions.
bpo-36251: Fix format strings used for stderrprinter and re.Match reprs. Patch by Stephan Hohe.
bpo-35807: Update ensurepip to install pip 19.0.3 and setuptools 40.8.0.
bpo-36179: Fix two unlikely reference leaks in _hashopenssl. The leaks only occur in out-of-memory cases.
bpo-35178: Ensure custom warnings.formatwarning() function can receive line as positional argument. Based on patch by Tashrif Billah.
bpo-36106: Resolve potential name clash with libm’s sinpi(). Patch by Dmitrii Pasechnik.
bpo-35512: unittest.mock.patch.dict() used as a decorator with string target resolves the target during function call instead of during decorator construction. Patch by Karthikeyan Singaravelan.
bpo-36091: Clean up reference to async generator in Lib/types. Patch by Henry Chen.
bpo-35899: Enum has been fixed to correctly handle empty strings and strings with non-Latin characters (ie. ‘α’, ‘א’) without crashing. Original patch contributed by Maxwell. Assisted by Stéphane Wirtel.
bpo-35918: Removed broken has_key method from multiprocessing.managers.SyncManager.dict. Contributed by Rémi Lapeyre.
bpo-35960: Fix dataclasses.field() throwing away empty mapping objects passed as metadata.
bpo-35847: RISC-V needed the CTYPES_PASS_BY_REF_HACK. Fixes ctypes Structure test_pass_by_value.
bpo-35780: Fix lru_cache() errors arising in recursive, reentrant, or multi-threaded code. These errors could result in orphan links and in the cache being trapped in a state with fewer than the specified maximum number of links. Fix handling of negative maxsize which should have been treated as zero. Fix errors in toggling the “full” status flag. Fix misordering of links when errors are encountered. Sync-up the C code and pure Python code for the space saving path in functions with a single positional argument. In this common case, the space overhead of an lru cache entry is reduced by almost half. Fix counting of cache misses. In error cases, the miss count was out of sync with the actual number of times the underlying user function was called.
bpo-23846: asyncio.ProactorEventLoop now catches and logs send errors when the self-pipe is full.
bpo-34323: asyncio: Enhance IocpProactor.close() log: wait 1 second before the first log, then log every second. Log also the number of seconds since close() was called.
bpo-34294: re module, fix wrong capturing groups in rare cases. re.search(), re.findall(), re.sub() and other functions that scan through string looking for a match, should reset capturing groups between two match attempts. Patch by Ma Lin.
bpo-35717: Fix KeyError exception raised when using enums and compile. Patch contributed by Rémi Lapeyre.
bpo-35699: Fixed detection of Visual Studio Build Tools 2017 in distutils
bpo-32710: Fix memory leaks in asyncio ProactorEventLoop on overlapped operation failure.
bpo-32710: Fix a memory leak in asyncio in the ProactorEventLoop when ReadFile() or WSASend() overlapped operation fail immediately: release the internal buffer.
bpo-35682: Fix asyncio.ProactorEventLoop.sendfile(): don’t attempt to set the result of an internal future if it’s already done.
bpo-35283: Add a pending deprecated warning for the threading.Thread.isAlive() method. Patch by Dong-hee Na.
bpo-35643: Fixed a SyntaxWarning: invalid escape sequence in Modules/_sha3/cleanup.py. Patch by Mickaël Schoentgen.
bpo-35615: weakref: Fix a RuntimeError when copying a WeakKeyDictionary or a WeakValueDictionary, due to some keys or values disappearing while iterating.
bpo-28503: The crypt module now internally uses the crypt_r() library function instead of crypt() when available.
bpo-35121: Don’t set cookie for a request when the request path is a prefix match of the cookie’s path attribute but doesn’t end with “/”. Patch by Karthikeyan Singaravelan.
bpo-35585: Speed-up building enums by value, e.g. http.HTTPStatus(200).
bpo-21478: Calls to a child function created with unittest.mock.create_autospec() should propagate to the parent. Patch by Karthikeyan Singaravelan.
bpo-35513: TextTestRunner of unittest.runner now uses time.perf_counter() rather than time.time() to measure the execution time of a test: time.time() can go backwards, whereas time.perf_counter() is monotonic.
bpo-35502: Fixed reference leaks in xml.etree.ElementTree.TreeBuilder in case of unfinished building of the tree (in particular when an error was raised during parsing XML).
bpo-31446: Copy command line that was passed to CreateProcessW since this function can change the content of the input buffer.
bpo-20239: Allow repeated assignment deletion of unittest.mock.Mock attributes. Patch by Pablo Galindo.
bpo-17185: Set __signature__ on mock for inspect to get signature. Patch by Karthikeyan Singaravelan.
bpo-10496: check_environ() of distutils.utils now catches KeyError on calling pwd.getpwuid(): don’t create the HOME environment variable in this case.
bpo-35066: Previously, calling the strftime() method on a datetime object with a trailing ‘%’ in the format string would result in an exception. However, this only occured when the datetime C module was being used; the python implementation did not match this behavior. Datetime is now PEP-399 compliant, and will not throw an exception on a trailing ‘%’.
bpo-24746: Avoid stripping trailing whitespace in doctest fancy diff. Orignial patch by R. David Murray & Jairo Trad. Enhanced by Sanyam Khurana.
bpo-35198: Fix C++ extension compilation on AIX
bpo-28441: On Cygwin and MinGW, ensure that sys.executable always includes the full filename in the path, including the .exe suffix (unless it is a symbolic link).
bpo-34572: Fix C implementation of pickle.loads to use importlib’s locking mechanisms, and thereby avoid using partially-loaded modules. Patch by Tim Burgess.
bpo-33687: Fix the call to os.chmod() for uu.decode() if a mode is given or decoded. Patch by Timo Furrer.
bpo-32146: Document the interaction between frozen executables and the spawn and forkserver start methods in multiprocessing.
PkgSrc changes:
* Make find_library() consitant for all Python versions:
- Fallback to clang, when gcc is not installed.
- Find libraries in PkgSrc prefix.
* Do not use -stack_size; it ends up in 'pythonNN-config --ldflags', and some
modules fail to build.
Python 3.7.2 final
Library
- bpo-31715: Associate .mjs file extension with application/javascript MIME Type.
Build
- bpo-35499: make profile-opt no longer replaces CFLAGS_NODIST with CFLAGS. It now adds profile-guided optimization (PGO) flags to CFLAGS_NODIST: existing CFLAGS_NODIST flags are kept.
- bpo-35257: Avoid leaking the linker flags from Link Time Optimizations (LTO) into distutils when compiling C extensions.
C API
- bpo-35259: Conditionally declare Py_FinalizeEx() (new in 3.6) based on Py_LIMITED_API.
Python 3.7.2 release candidate 1
Security
- bpo-34812: The -I command line option (run Python in isolated mode) is now also copied by the multiprocessing and distutils modules when spawning child processes. Previously, only -E and -s options (enabled by -I) were copied.
- bpo-34791: The xml.sax and xml.dom.domreg no longer use environment variables to override parser implementations when sys.flags.ignore_environment is set by -E or -I arguments.
Core and Builtins
- bpo-35444: Fixed error handling in pickling methods when fail to look up builtin “getattr”.
- bpo-35436: Fix various issues with memory allocation error handling. Patch by Zackery Spytz.
- bpo-35357: Internal attributes’ names of unittest.mock._Call and unittest.mock.MagicProxy (name, parent & from_kall) are now prefixed with _mock_ in order to prevent clashes with widely used object attributes. Fixed minor typo in test function name.
- bpo-35372: Fixed the code page decoder for input longer than 2 GiB containing undecodable bytes.
- bpo-35336: Fix PYTHONCOERCECLOCALE=1 environment variable: only coerce the C locale if the LC_CTYPE locale is “C”.
- bpo-33954: For str.format(), float.__format__() and complex.__format__() methods for non-ASCII decimal point when using the “n” formatter.
- bpo-35269: Fix a possible segfault involving a newly-created coroutine. Patch by Zackery Spytz.
- bpo-35214: Fixed an out of bounds memory access when parsing a truncated unicode escape sequence at the end of a string such as '\N'. It would read one byte beyond the end of the memory allocation.
- bpo-35214: The interpreter and extension modules have had annotations added so that they work properly under clang’s Memory Sanitizer. A new configure flag –with-memory-sanitizer has been added to make test builds of this nature easier to perform.
- bpo-35193: Fix an off by one error in the bytecode peephole optimizer where it could read bytes beyond the end of bounds of an array when removing unreachable code. This bug was present in every release of Python 3.6 and 3.7 until now.
- bpo-29341: Clarify in the docstrings of os methods that path-like objects are also accepted as input parameters.
- bpo-35050: socket: Fix off-by-one bug in length check for AF_ALG name and type.
- bpo-34974: bytes and bytearray constructors no longer convert unexpected exceptions (e.g. MemoryError and KeyboardInterrupt) to TypeError.
- bpo-34973: Fixed crash in bytes() when the list argument is mutated while it is iterated.
- bpo-34824: Fix a possible null pointer dereference in Modules/_ssl.c. Patch by Zackery Spytz.
- bpo-1621: Do not assume signed integer overflow behavior (C undefined behavior) when performing set hash table resizing.
Library
- bpo-35052: Fix xml.dom.minidom cloneNode() on a document with an entity: pass the correct arguments to the user data handler of an entity.
- bpo-35330: When a Mock instance was used to wrap an object, if side_effect is used in one of the mocks of it methods, don’t call the original implementation and return the result of using the side effect the same way that it is done with return_value.
- bpo-34172: Revert the fix for this issue previously released in 3.7.1 pending further investigation: Fix a reference issue inside multiprocessing.Pool that caused the pool to remain alive if it was deleted without being closed or terminated explicitly.
- bpo-10496: posixpath.expanduser() now returns the input path unchanged if the HOME environment variable is not set and the current user has no home directory (if the current user identifier doesn’t exist in the password database). This change fix the site module if the current user doesn’t exist in the password database (if the user has no home directory).
- bpo-35310: Fix a bug in select.select() where, in some cases, the file descriptor sequences were returned unmodified after a signal interruption, even though the file descriptors might not be ready yet. select.select() will now always return empty lists if a timeout has occurred. Patch by Oran Avraham.
- bpo-35380: Enable TCP_NODELAY on Windows for proactor asyncio event loop.
- bpo-35341: Add generic version of collections.OrderedDict to the typing module. Patch by Ismo Toijala.
- bpo-35371: Fixed possible crash in os.utime() on Windows when pass incorrect arguments.
- bpo-27903: Fix ResourceWarning in platform.dist() on SuSE and Caldera OpenLinux. Patch by Ville Skyttä.
- bpo-35308: Fix regression in webbrowser where default browsers may be preferred over browsers in the BROWSER environment variable.
- bpo-28604: locale.localeconv() now sets temporarily the LC_CTYPE locale to the LC_MONETARY locale if the two locales are different and monetary strings are non-ASCII. This temporary change affects other threads.
- bpo-35277: Update ensurepip to install pip 18.1 and setuptools 40.6.2.
- bpo-35226: Recursively check arguments when testing for equality of unittest.mock.call objects and add note that tracking of parameters used to create ancestors of mocks in mock_calls is not possible.
- bpo-29564: The warnings module now suggests to enable tracemalloc if the source is specified, the tracemalloc module is available, but tracemalloc is not tracing memory allocations.
- bpo-35189: Modify the following fnctl function to retry if interrupted by a signal (EINTR): flock, lockf, fnctl
- bpo-35062: Fix incorrect parsing of _io.IncrementalNewlineDecoder’s translate argument.
- bpo-35079: Improve difflib.SequenceManager.get_matching_blocks doc by adding ‘non-overlapping’ and changing ‘!=’ to ‘<’.
- bpo-35017: socketserver.BaseServer.serve_forever() now exits immediately if it’s shutdown() method is called while it is polling for new events.
- bpo-31047: Fix ntpath.abspath regression where it didn’t remove a trailing separator on Windows. Patch by Tim Graham.
- bpo-34794: Fixed a leak in Tkinter when pass the Python wrapper around Tcl_Obj back to Tcl/Tk.
- bpo-35008: Fixed references leaks when call the __setstate__() method of xml.etree.ElementTree.Element in the C implementation for already initialized element.
- bpo-23420: Verify the value for the parameter ‘-s’ of the cProfile CLI. Patch by Robert Kuska
- bpo-33947: dataclasses now handle recursive reprs without raising RecursionError.
- bpo-16965: The 2to3 execfile fixer now opens the file with mode 'rb'. Patch by Zackery Spytz.
- bpo-34966: pydoc now supports aliases not only to methods defined in the end class, but also to inherited methods. The docstring is not duplicated for aliases.
- bpo-34941: Methods find(), findtext() and findall() of the Element class in the xml.etree.ElementTree module are now able to find children which are instances of Element subclasses.
- bpo-34936: Fix TclError in tkinter.Spinbox.selection_element(). Patch by Juliette Monsel.
- bpo-34866: Adding max_num_fields to cgi.FieldStorage to make DOS attacks harder by limiting the number of MiniFieldStorage objects created by FieldStorage.
- bpo-34022: The SOURCE_DATE_EPOCH environment variable no longer overrides the value of the invalidation_mode argument to py_compile.compile(), and determines its default value instead.
- bpo-34738: ZIP files created by distutils will now include entries for directories.
- bpo-31177: Fix bug that prevented using reset_mock on mock instances with deleted attributes
- bpo-34536: Enum._missing_: raise ValueError if None returned and TypeError if non-member is returned.
- bpo-34604: Fix possible mojibake in the error message of pwd.getpwnam and grp.getgrnam using string representation because of invisible characters or trailing whitespaces. Patch by William Grzybowski.
- bpo-34574: OrderedDict iterators are not exhausted during pickling anymore. Patch by Sergey Fedoseev.
- bpo-34052: sqlite3.Connection.create_aggregate(), sqlite3.Connection.create_function(), sqlite3.Connection.set_authorizer(), sqlite3.Connection.set_progress_handler() methods raises TypeError when unhashable objects are passed as callable. These methods now don’t pass such objects to SQLite API. Previous behavior could lead to segfaults. Patch by Sergey Fedoseev.
- bpo-29877: compileall: import ProcessPoolExecutor only when needed, preventing hangs on low resource platforms
- bpo-22005: Implemented unpickling instances of datetime, date and time pickled by Python 2. encoding='latin1' should be used for successful decoding.
Notable changes in Python 3.7.1
Starting in 3.7.1, Py_Initialize() now consistently reads and respects all of the same environment settings as Py_Main() (in earlier Python versions, it respected an ill-defined subset of those environment variables, while in Python 3.7.0 it didn’t read any of them due to bpo-34247). If this behavior is unwanted, set Py_IgnoreEnvironmentFlag to 1 before calling Py_Initialize().
In 3.7.1 the C API for Context Variables was updated to use PyObject pointers.
xml.dom.minidom and xml.sax modules no longer process external entities by default.
Python 3.7.0 is the newest major release of the Python language, and it contains many new features and optimizations.
Among the major new features in Python 3.7 are:
PEP 539, new C API for thread-local storage
PEP 545, Python documentation translations
New documentation translations: Japanese, French, and Korean.
PEP 552, Deterministic pyc files
PEP 553, Built-in breakpoint()
PEP 557, Data Classes
PEP 560, Core support for typing module and generic types
PEP 562, Customization of access to module attributes
PEP 563, Postponed evaluation of annotations
PEP 564, Time functions with nanosecond resolution
PEP 565, Improved DeprecationWarning handling
PEP 567, Context Variables
Avoiding the use of ASCII as a default text encoding (PEP 538, legacy C locale coercion and PEP 540, forced UTF-8 runtime mode)
The insertion-order preservation nature of dict objects is now an official part of the Python language spec.
Notable performance improvements in many areas.
