There's enough instability due to using the proper UCRT installer (e.g. bpo-25546, bpo-25954, also others not reported on bpo) and good enough install base that we can simplify things by just installing it locally on machines that require it.

This may also require updating venv (though I think we're fine) and virtualenv (I'll ping).

My proposal is to bundle the UCRT redistributable DLLs into their own MSI and install them alongside the main executable when required. If a user later installs it properly, the up-to-date version will be used instead. This should be good enough to cover people still on Windows 7/8, and will also reduce the installer size slightly (though at the cost of potentially breaking non-standard virtual environments or entrypoint stubs that link to the CRT dynamically).

The PR is ready, but I'll leave this open for a few days in case anyone wants to comment.

Does this mean that we'll need to update the bundled ucrt whenever there are security patches to the baseline version? Are we happy with the security implications of that?

I thought one of the key advantages of using the system CRT (whether the old msvcrXX.dll or the new ucrt) was that we automatically received security patches.

Technically yes, though I think at this stage it will be very few machines that end up with our copy, and users can patch their own system using Windows Update even if we've installed a copy. Particularly for our user base, where I suspect most pre-Win10 Python users will have installed 3.5 or 3.6 previously and so have the proper update.

There should be very few first time Python users on older operating systems, and it will approach zero over time.

Oh, so we're talking here about bundling the ucrt installers and then if the user doesn't already have ucrt installed system wide, we will install a local copy, but if they do, we don't do anything? If we install a local copy, then it'll be used until the user installs a system copy, at which point the local copy remains but gets ignored, correct? That seems OK, although I can see a local copy that's not used being confusing - but it's for very few users so no real issue.

I'm not sure what you're saying for venv/virtualenv though? Presumably they will need to copy the local copy if it's present, but that local copy will be ignored if there's a system copy?

All correct. I believe venv is fine, as it copies all DLLs, but virtualenv is more selective and will need to be updated.

New changeset d135f20 by Steve Dower in branch 'master':
bpo-32507: Change Windows install to include app-local UCRT (bpo-5119)
d135f20

Missed the a4 cutoff, but it'll be in 3.7.0b1.