classification
Title: Provide offical installers for security releases
Type: enhancement Stage: resolved
Components: Installation Versions: Python 3.10
process
Status: closed Resolution: rejected
Dependencies: Superseder:
Assigned To: Nosy List: ned.deily, steve.dower, terry.reedy, zby1234
Priority: normal Keywords:

Created on 2021-02-27 10:07 by zby1234, last changed 2021-03-05 21:51 by terry.reedy. This issue is now closed.

Messages (2)
msg387774 - (view) Author: Zhang Boyang (zby1234) Date: 2021-02-27 10:07
Hello,

Thanks for developing Python! I noticed there is no offical installers for security releases of old python version. This looks a little strange to me. As a python user & developer, it's often to stay with some old version of python, because some package's version constraints, or we need to support old platforms.

The offical installer is the most trusted installaion source, but it's not provided with security releases. Lacking of installers makes installaion extreme difficult (impossible for end users), and there's no (free) way for a individual to create a code signed copy of python. Non-code-signed binarys will lead a lot of problem on recent operating systems.

The choice of providing no offical installer leads a lot of user stay with lastest bug-fix release and not upgrading to latest security releases. Individuals who want to stay with a old version must either use lastest bug-fix release or risk running a non-code-signed python binary. The former lacks recent python security fix, and the latter is vulnerable to binary modifications such as virus infection.

To sum up, if offical installer is provided, it will make life a lot easier for users who want to stay with old python version. It would be appreciated if you could accept my feature request.

Thank you!
msg388166 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2021-03-05 21:51
This tracker is only concerned with the PSF/python.org Windows and macOS installers, not the *nix distributions, so I assume that one the former is your concern.

For those, your request has been made and rejected multiple times before.  A request on the tracker won't change this policy decision.  Briefly, we consider other actions by the volunteers who make those installers to be more valuable.  Making more installers means not doing something else, like fixing bugs or keeping up with OS changes or enhancing something.

A little more: 1. Many -- maybe most -- security fixes are only or mainly of concern to server maintainers.  They mostly run *nix or compile their own binaries or pay someone to do so.  2. Running older Python versions instead of newer versions is a user choice, not ours.  3. Non-PSF distributors of Python for Windows and Mac are free to recompile their binaries whenever they want to.

For Windows, I don't know what your concern is about 'signed' binaries.  Anyone can install the Visual Studio Community Edition and Git and clone and compile their own binary.  This is at least as secure as a downloaded binary.  If more instructions are needed for how to use that binary for production use, that would be a different issue. (And perhaps git should be told to git-ignore additions to site-packages.)
History
Date User Action Args
2021-03-05 21:51:55terry.reedysetstatus: open -> closed

title: [feature request] Please provide offical installers for security releases -> Provide offical installers for security releases
nosy: + terry.reedy, ned.deily, steve.dower

messages: + msg388166
resolution: rejected
stage: resolved
2021-02-27 10:07:25zby1234create