Date: Sat, 03 Jan 2026 23:11:02 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 291609] lang/python311: Missing security update Message-ID: <bug-291609-21822-7iTPtjKaGa@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-291609-21822@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291609 --- Comment #12 from Torsten Zuehlsdorff <tz@freebsd.org> --- (In reply to Charlie Li from comment #6) > It is ultimately up to the upstream CPython project to commit their fixes > appropriately. Using stuff that upstream has not fully blessed, ie through > solid commits, does not provide us and our users a good support trail. I am sorry, but CPython does not merge *our* work between branches. Wen has committed the update to Python 3.11.14 (which fixed security issues) to main on 2025-12-15. Since then it was not merged into quarterly. The quarterly branch is the base of the packages you get by default when using "pkg install". So we basically deliver an known, unsafe version for over 3 weeks, while we have already fixed it just in another branch. I also wrote an email to python@ to ask if there is any objection to the merge, but did not get any reply at all, yet. Because of christmas / new year / a number of different holidays this did not surprise me. But when fixing security issues, we must always try to get them merged into quarterly. So how can we improve this situation? -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-291609-21822-7iTPtjKaGa>