Message 291406 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	njs
Recipients	benjamin.peterson, cgohlke, cstratak, hroncok, larry, ned.deily, njs, serhiy.storchaka, steve.dower
Date	2017-04-10.03:02:57
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1491793378.95.0.890552099192.issue29943@psf.upfronthosting.co.za>
In-reply-to

Content
> Can we consider 3.6.0 rather than 3.6.1 as broken release? In the last week, pypi downloads were about evenly split between 3.6.0 and 3.6.1 (2269969 for "3.6.1", 1927189 for "3.6.0", and those two were ~2 orders of magnitude more common than other strings like "3.6.1+", "3.6.0b2", etc. [1]). Not sure what that to conclude from that, but certainly if people start uploading 3.6.1-only wheels right now then it will break things for a lot of end users. With my manylinux docker image maintainer hat on: we're currently shipping 3.6.0. I'm extremely confident that if we stick with this we'll never get any complaints about the obscure bug with malicious __index__ implementations that's being fixed here. OTOH if we upgrade to 3.6.1, or any version with this ABI change, then we'll definitely get many complaints so long as there's anyone at all still using 3.6.0, which is probably forever. So I'm not sure not sure what incentive we would have to ever upgrade to 3.6.1+ if this ABI change is kept? (This isn't saying the bug is unimportant! But it sure is hard to sell its importance to folks trying to ship packages and support end-users...) -------- [1] Somewhat crude query I used in case it's useful for future reference: SELECT REGEXP_EXTRACT(details.python, r"^([^\.]+\.[^\.]+\.[^\.]+)") as python_version, COUNT(*) as download_count, FROM TABLE_DATE_RANGE( [the-psf:pypi.downloads], DATE_ADD(CURRENT_TIMESTAMP(), -7, "day"), DATE_ADD(CURRENT_TIMESTAMP(), 0, "day") ) WHERE REGEXP_MATCH(details.python, r"^3\.6\.") GROUP BY python_version, ORDER BY download_count DESC LIMIT 100

> Can we consider 3.6.0 rather than 3.6.1 as broken release?

In the last week, pypi downloads were about evenly split between 3.6.0 and 3.6.1 (2269969 for "3.6.1", 1927189 for "3.6.0", and those two were ~2 orders of magnitude more common than other strings like "3.6.1+", "3.6.0b2", etc. [1]). Not sure what that to conclude from that, but certainly if people start uploading 3.6.1-only wheels right now then it will break things for a lot of end users.

With my manylinux docker image maintainer hat on: we're currently shipping 3.6.0. I'm extremely confident that if we stick with this we'll never get any complaints about the obscure bug with malicious __index__ implementations that's being fixed here. OTOH if we upgrade to 3.6.1, or any version with this ABI change, then we'll definitely get many complaints so long as there's anyone at all still using 3.6.0, which is probably forever. So I'm not sure not sure what incentive we would have to ever upgrade to 3.6.1+ if this ABI change is kept?

(This isn't saying the bug is unimportant! But it sure is hard to sell its importance to folks trying to ship packages and support end-users...)

--------

[1] Somewhat crude query I used in case it's useful for future reference:

SELECT
  REGEXP_EXTRACT(details.python, r"^([^\.]+\.[^\.]+\.[^\.]+)") as python_version,
  COUNT(*) as download_count,
FROM
  TABLE_DATE_RANGE(
    [the-psf:pypi.downloads],
    DATE_ADD(CURRENT_TIMESTAMP(), -7, "day"),
    DATE_ADD(CURRENT_TIMESTAMP(), 0, "day")
  )
WHERE
  REGEXP_MATCH(details.python, r"^3\.6\.")
GROUP BY
  python_version,
ORDER BY
  download_count DESC
LIMIT 100

History
Date	User	Action	Args
2017-04-10 03:02:59	njs	set	recipients: + njs, larry, benjamin.peterson, ned.deily, cgohlke, serhiy.storchaka, steve.dower, cstratak, hroncok
2017-04-10 03:02:58	njs	set	messageid: <1491793378.95.0.890552099192.issue29943@psf.upfronthosting.co.za>
2017-04-10 03:02:58	njs	link	issue29943 messages
2017-04-10 03:02:57	njs	create