Changelog

Python 3.8.18 final

Release date: 2023-08-24

Security

• gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith.

Library

• gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError.

Tools/Demos

• gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2.

Python 3.8.17 final

Release date: 2023-06-06

Security

• gh-103142: The version of OpenSSL used in our binary builds has been upgraded to 1.1.1u to address several CVEs.

• gh-99889: Fixed a security in flaw in uu.decode() that could allow for directory traversal based on the input if no out_file was specified.

• gh-104049: Do not expose the local on-disk location in directory indexes produced by http.client.SimpleHTTPRequestHandler.

• gh-102153: urllib.parse.urlsplit() now strips leading C0 control and space characters following the specification for URLs defined by WHATWG in response to CVE-2023-24329. Patch by Illia Volochii.

• gh-101727: Updated the OpenSSL version used in Windows and macOS binary release builds to 1.1.1t to address CVE-2023-0286, CVE-2022-4303, and CVE-2022-4303 per the OpenSSL 2023-02-07 security advisory.

• gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe when launching with shell=True. Patch by Eryk Sun, based on a patch by Oleg Iarygin.

Library

• gh-103935: Use io.open_code() for files to be executed instead of raw open()

• gh-102953: The extraction methods in tarfile, and shutil.unpack_archive(), have a new a filter argument that allows limiting tar features than may be surprising or dangerous, such as creating files outside the destination directory. See Extraction filters for details.

• gh-101997: Upgrade pip wheel bundled with ensurepip (pip 23.0.1)

Build

• gh-102306: [3.8] Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK.

Windows

• gh-100180: Update Windows installer to OpenSSL 1.1.1s

macOS

• gh-103142: Update macOS installer to use OpenSSL 1.1.1u.

Python 3.8.16 final

Release date: 2022-12-06

Security

• gh-100001: python -m http.server no longer allows terminal control characters sent within a garbage request to be printed to the stderr server log.

  This is done by changing the http.server BaseHTTPRequestHandler .log_message method to replace control characters with a \xHH hex escape before printing.

• gh-87604: Avoid publishing list of active per-interpreter audit hooks via the gc module

• gh-98433: The IDNA codec decoder used on DNS hostnames by socket or asyncio related name resolution functions no longer involves a quadratic algorithm. This prevents a potential CPU denial of service if an out-of-spec excessive length hostname involving bidirectional characters were decoded. Some protocols such as urllib http 3xx redirects potentially allow for an attacker to supply such a name.

• gh-98739: Update bundled libexpat to 2.5.0

• gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 (CVE-2022-37454).

• gh-68966: The deprecated mailcap module now refuses to inject unsafe text (filenames, MIME types, parameters) into shell commands. Instead of using such text, it will warn and act as if a match was not found (or for test commands, as if the test failed).

Python 3.8.15 final

Release date: 2022-10-11

Security

• gh-97616: Fix multiplying a list by an integer (list *= int): detect the integer overflow when the new allocated length is close to the maximum size. Issue reported by Jordan Limor. Patch by Victor Stinner.

• gh-97612: Fix a shell code injection vulnerability in the get-remote-certificate.py example script. The script no longer uses a shell to run openssl commands. Issue reported and initial fix by Caleb Shortt. Patch by Victor Stinner.

Core and Builtins

• gh-96848: Fix command line parsing: reject -X int_max_str_digits option with no value (invalid) when the PYTHONINTMAXSTRDIGITS environment variable is set to a valid limit. Patch by Victor Stinner.

• gh-95778: When ValueError is raised if an integer is larger than the limit, mention the sys.set_int_max_str_digits() function in the error message. Patch by Victor Stinner.

Library

• gh-97005: Update bundled libexpat to 2.4.9

Windows

• gh-96577: Fixes a potential buffer overrun in msilib.

Python 3.8.14 final

Release date: 2022-09-06

Security

• gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.

  This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.

  Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

• gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.

Core and Builtins

• gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.

  The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.

Library

• bpo-46197: Fix ensurepip environment isolation for subprocess running pip.

• bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev.

Documentation

• gh-91888: Add a new gh role to the documentation to link to GitHub issues.

• bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4.

Tests

• gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.

• bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.

• bpo-46114: Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses 0xMNN00PP0L.

Windows

• bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.

Python 3.8.13 final

Release date: 2022-03-15

Core and Builtins

• bpo-46794: Bump up the libexpat version into 2.4.6

Library

• bpo-46985: Upgrade pip wheel bundled with ensurepip (pip 22.0.4)

• bpo-46932: Update bundled libexpat to 2.4.7

• bpo-46811: Make test suite support Expat >=2.4.5

• bpo-46784: Fix libexpat symbols collisions with user dynamically loaded or statically linked libexpat in embedded Python.

• bpo-46756: Fix a bug in urllib.request.HTTPPasswordMgr.find_user_password() and urllib.request.HTTPPasswordMgrWithPriorAuth.is_authenticated() which allowed to bypass authorization. For example, access to URI example.org/foobar was allowed if the user was authorized for URI example.org/foo.

• bpo-46400: expat: Update libexpat from 2.4.1 to 2.4.4

• bpo-46474: In importlib.metadata.EntryPoint.pattern, avoid potential REDoS by limiting ambiguity in consecutive whitespace.

• bpo-44849: Fix the os.set_inheritable() function on FreeBSD 14 for file descriptor opened with the O_PATH flag: ignore the EBADF error on ioctl(), fallback on the fcntl() implementation. Patch by Victor Stinner.

Documentation

• bpo-41028: Language and version switchers, previously maintained in every cpython branches, are now handled by docsbuild-script.

Tests

• bpo-45195: Fix test_readline.test_nonascii(): sometimes, the newline character is not written at the end, so don’t expect it in the output. Patch by Victor Stinner.

• bpo-44949: Fix auto history tests of test_readline: sometimes, the newline character is not written at the end, so don’t expect it in the output.

Build

• bpo-47024: Update Windows builds and macOS installer build to use OpenSSL 1.1.1n.

• bpo-45405: Prevent internal configure error when running configure with recent versions of clang. Patch by David Bohman.

• bpo-45220: Avoid building with the Windows 11 SDK previews automatically. This may be overridden by setting the DefaultWindowsSDKVersion environment variable before building.

Windows

• bpo-44549: Update bzip2 to 1.0.8 in Windows builds to mitigate CVE-2016-3189 and CVE-2019-12900

• bpo-46948: Prevent CVE-2022-26488 by ensuring the Add to PATH option in the Windows installer uses the correct path when being repaired.

macOS

• bpo-44828: Avoid tkinter file dialog failure on macOS 12 Monterey when using the Tk 8.6.11 provided by python.org macOS installers. Patch by Marc Culler of the Tk project.

Python 3.8.12 final

Release date: 2021-08-30

Security

• bpo-42278: Replaced usage of tempfile.mktemp() with TemporaryDirectory to avoid a potential race condition.

• bpo-44394: Update the vendored copy of libexpat to 2.4.1 (from 2.2.8) to get the fix for the CVE-2013-0340 “Billion Laughs” vulnerability. This copy is most used on Windows and macOS.

• bpo-43124: Made the internal putcmd function in smtplib sanitize input for presence of \r and \n characters to avoid (unlikely) command injection.

• bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4 address strings. Leading zeros are ambiguous and interpreted as octal notation by some libraries. For example the legacy function socket.inet_aton() treats leading zeros as octal notation. glibc implementation of modern inet_pton() does not accept any leading zeros. For a while the ipaddress module used to accept ambiguous leading zeros.

Core and Builtins

• bpo-44872: Use new trashcan macros (Py_TRASHCAN_BEGIN/END) in frameobject.c instead of the old ones (Py_TRASHCAN_SAFE_BEGIN/END).

• bpo-33930: Fix segmentation fault with deep recursion when cleaning method objects. Patch by Augusto Goulart and Pablo Galindo.

• bpo-44856: Fix reference leaks in the error paths of update_bases() and __build_class__. Patch by Pablo Galindo.

Library

• bpo-45001: Made email date parsing more robust against malformed input, namely a whitespace-only Date: header. Patch by Wouter Bolsterlee.

Documentation

• bpo-30511: Clarify that shutil.make_archive() is not thread-safe due to reliance on changing the current working directory.

Windows

• bpo-45007: Update to OpenSSL 1.1.1l in Windows build

macOS

• bpo-45007: Update macOS installer builds to use OpenSSL 1.1.1l.

• bpo-44689: ctypes.util.find_library() now works correctly on macOS 11 Big Sur even if Python is built on an older version of macOS. Previously, when built on older macOS systems, find_library was not able to find macOS system libraries when running on Big Sur due to changes in how system libraries are stored.

Python 3.8.11 final

Release date: 2021-06-28

Security

• bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.

• bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.

  Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.

• bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.

Core and Builtins

• bpo-44070: No longer eagerly makes import filenames absolute, except for extension modules, which was introduced in 3.8.10.

Library

• bpo-44061: Fix regression in previous release when calling pkgutil.iter_modules() with a list of pathlib.Path objects

Python 3.8.10 final

Release date: 2021-05-03

Security

• bpo-43434: Creating a sqlite3.Connection object now also produces a sqlite3.connect auditing event. Previously this event was only produced by sqlite3.connect() calls. Patch by Erlend E. Aasland.

• bpo-43472: Ensures interpreter-level audit hooks receive the cpython.PyInterpreterState_New event when called through the _xxsubinterpreters module.

• bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

Core and Builtins

• bpo-43105: Importlib now resolves relative paths when creating module spec objects from file locations.

• bpo-42924: Fix bytearray repetition incorrectly copying data from the start of the buffer, even if the data is offset within the buffer (e.g. after reassigning a slice at the start of the bytearray to a shorter byte string).

Library

• bpo-43993: Update bundled pip to 21.1.1.

• bpo-43937: Fixed the turtle module working with non-default root window.

• bpo-43930: Update bundled pip to 21.1 and setuptools to 56.0.0

• bpo-43920: OpenSSL 3.0.0: load_verify_locations() now returns a consistent error message when cadata contains no valid certificate.

• bpo-43607: urllib can now convert Windows paths with \\?\ prefixes into URL paths.

• bpo-43284: platform.win32_ver derives the windows version from sys.getwindowsversion().platform_version which in turn derives the version from kernel32.dll (which can be of a different version than Windows itself). Therefore change the platform.win32_ver to determine the version using the platform module’s _syscmd_ver private function to return an accurate version.

• bpo-42248: [Enum] ensure exceptions raised in _missing__ are released

• bpo-43799: OpenSSL 3.0.0: define OPENSSL_API_COMPAT 1.1.1 to suppress deprecation warnings. Python requires OpenSSL 1.1.1 APIs.

• bpo-43794: Add ssl.OP_IGNORE_UNEXPECTED_EOF constants (OpenSSL 3.0.0)

• bpo-43789: OpenSSL 3.0.0: Don’t call the password callback function a second time when first call has signaled an error condition.

• bpo-43788: The header files for ssl error codes are now OpenSSL version-specific. Exceptions will now show correct reason and library codes. The make_ssl_data.py script has been rewritten to use OpenSSL’s text file with error codes.

• bpo-43655: tkinter dialog windows are now recognized as dialogs by window managers on macOS and X Window.

• bpo-43534: turtle.textinput() and turtle.numinput() create now a transient window working on behalf of the canvas window.

• bpo-43522: Fix problem with hostname_checks_common_name. OpenSSL does not copy hostflags from struct SSL_CTX to struct SSL.

• bpo-42967: Allow bytes separator argument in urllib.parse.parse_qs and urllib.parse.parse_qsl when parsing str query strings. Previously, this raised a TypeError.

• bpo-43176: Fixed processing of a dataclass that inherits from a frozen dataclass with no fields. It is now correctly detected as an error.

• bpo-34463: Fixed discrepancy between traceback and the interpreter in formatting of SyntaxError with lineno not set (traceback was changed to match interpreter).

• bpo-41735: Fix thread locks in zlib module may go wrong in rare case. Patch by Ma Lin.

• bpo-26053: Fixed bug where the pdb interactive run command echoed the args from the shell command line, even if those have been overridden at the pdb prompt.

• bpo-36470: Fix dataclasses with InitVars and replace(). Patch by Claudiu Popa.

• bpo-28577: The hosts method on 32-bit prefix length IPv4Networks and 128-bit prefix IPv6Networks now returns a list containing the single Address instead of an empty list.

• bpo-32745: Fix a regression in the handling of ctypes’ ctypes.c_wchar_p type: embedded null characters would cause a ValueError to be raised. Patch by Zackery Spytz.

Documentation

• bpo-43959: The documentation on the PyContextVar C-API was clarified.

• bpo-43938: Update dataclasses documentation to express that FrozenInstanceError is derived from AttributeError.

• bpo-43739: Fixing the example code in Doc/extending/extending.rst to declare and initialize the pmodule variable to be of the right type.

Tests

• bpo-43842: Fix a race condition in the SMTP test of test_logging. Don’t close a file descriptor (socket) from a different thread while asyncore.loop() is polling the file descriptor. Patch by Victor Stinner.

• bpo-43811: Tests multiple OpenSSL versions on GitHub Actions. Use ccache to speed up testing.

• bpo-43791: OpenSSL 3.0.0: Disable testing of legacy protocols TLS 1.0 and 1.1. Tests are failing with TLSV1_ALERT_INTERNAL_ERROR.

Windows

• bpo-35306: Avoid raising errors from pathlib.Path.exists() when passed an invalid filename.

• bpo-38822: Fixed os.stat() failing on inaccessible directories with a trailing slash, rather than falling back to the parent directory’s metadata. This implicitly affected os.path.exists() and os.path.isdir().

• bpo-26227: Fixed decoding of host names in socket.gethostbyaddr() and socket.gethostbyname_ex().

• bpo-43745: Actually updates Windows release to OpenSSL 1.1.1k. Earlier releases were mislabelled and actually included 1.1.1i again.

• bpo-43492: Upgrade Windows installer to use SQLite 3.35.5.

macOS

• bpo-44009: Provide “python3.x-intel64” executable to allow reliably forcing macOS universal2 framework builds to run under Rosetta 2 Intel-64 emulation on Apple Silicon Macs. This can be useful for testing or when universal2 wheels are not yet available.

• bpo-41100: As of 3.8.10, Python now supports building and running on macOS 11 (Big Sur) and on Apple Silicon Macs (based on the ARM64 architecture). A new universal build variant, universal2, is also available to natively support both ARM64 and Intel 64 in one set of executables. This backport from Python 3.9 does not include support for “weaklinking”; to support a range of macOS versions, continue to target for and build on the oldest version in the range; for 3.8.x, the universal2 variant is only useful on macOS 11 or later.

• bpo-43492: Update macOS installer to use SQLite 3.35.4.

IDLE

• bpo-43655: IDLE dialog windows are now recognized as dialogs by window managers on macOS and X Window.

C API

• bpo-43962: _PyInterpreterState_IDIncref() now calls _PyInterpreterState_IDInitref() and always increments id_refcount. Previously, calling _xxsubinterpreters.get_current() could create an id_refcount inconsistency when a _xxsubinterpreters.InterpreterID object was deallocated. Patch by Victor Stinner.

Python 3.8.9 final

Release date: 2021-04-02

Security

• bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.

• bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.

  Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.

• bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.

Core and Builtins

• bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo.

• bpo-35883: Python no longer fails at startup with a fatal error if a command line argument contains an invalid Unicode character. The Py_DecodeLocale() function now escapes byte sequences which would be decoded as Unicode characters outside the [U+0000; U+10ffff] range.

• bpo-43406: Fix a possible race condition where PyErr_CheckSignals tries to execute a non-Python signal handler.

Library

• bpo-35930: Raising an exception raised in a “future” instance will create reference cycles.

• bpo-43577: Fix deadlock when using ssl.SSLContext debug callback with ssl.SSLContext.sni_callback().

• bpo-43423: subprocess.communicate() no longer raises an IndexError when there is an empty stdout or stderr IO buffer during a timeout on Windows.

• bpo-27820: Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with initial_response_ok=False will fail.

  The cause is that SMTP.auth_login _always_ returns a password if provided with a challenge string, thus non-compliant with the standard for AUTH LOGIN.

  Also fixes bug with the test for smtpd.

• bpo-43399: Fix ElementTree.extend not working on iterators when using the Python implementation

• bpo-43316: The python -m gzip command line application now properly fails when detecting an unsupported extension. It exits with a non-zero exit code and prints an error message to stderr.

• bpo-43260: Fix TextIOWrapper can not flush internal buffer forever after very large text is written.

• bpo-42782: Fail fast in shutil.move() to avoid creating destination directories on failure.

• bpo-37193: Fixed memory leak in socketserver.ThreadingMixIn introduced in Python 3.7.

Documentation

• bpo-43199: Answer “Why is there no goto?” in the Design and History FAQ.

• bpo-43407: Clarified that a result from time.monotonic(), time.perf_counter(), time.process_time(), or time.thread_time() can be compared with the result from any following call to the same function - not just the next immediate call.

• bpo-27646: Clarify that ‘yield from <expr>’ works with any iterable, not just iterators.

• bpo-36346: Update some deprecated unicode APIs which are documented as “will be removed in 4.0” to “3.12”. See PEP 623 for detail.

Tests

• bpo-37945: Fix test_getsetlocale_issue1813() of test_locale: skip the test if setlocale() fails. Patch by Victor Stinner.

• bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.

Build

• bpo-43631: Update macOS, Windows, and CI to OpenSSL 1.1.1k.

• bpo-43617: Improve configure.ac: Check for presence of autoconf-archive package and remove our copies of M4 macros.

macOS

• bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j.

IDLE

• bpo-42225: Document that IDLE can fail on Unix either from misconfigured IP masquerage rules or failure displaying complex colored (non-ascii) characters.

• bpo-43283: Document why printing to IDLE’s Shell is often slower than printing to a system terminal and that it can be made faster by pre-formatting a single string before printing.

Python 3.8.8 final

Release date: 2021-02-19

There were no new changes in version 3.8.8.

Python 3.8.8 release candidate 1

Release date: 2021-02-16

Security

• bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.

• bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.

Core and Builtins

• bpo-42819: readline: Explicitly disable bracketed paste in the interactive interpreter, even if it’s set in the inputrc, is enabled by default (eg GNU Readline 8.1), or a user calls readline.read_init_file(). The Python REPL has not implemented bracketed paste support. Also, bracketed mode writes the "\x1b[?2004h" escape sequence into stdout which causes test failures in applications that don’t support it. It can still be explicitly enabled by calling readline.parse_and_bind("set enable-bracketed-paste on"). Patch by Dustin Rodrigues.

Library

• bpo-43108: Fixed a reference leak in the curses module. Patch by Pablo Galindo

• bpo-42780: Fix os.set_inheritable() for O_PATH file descriptors on Linux.

• bpo-41748: Fix HTMLParser parsing rules for element attributes containing commas with spaces. Patch by Karl Dubost.

• bpo-42759: Fixed equality comparison of tkinter.Variable and tkinter.font.Font. Objects which belong to different Tcl interpreters are now always different, even if they have the same name.

• bpo-23328: Allow / character in username, password fields on _PROXY envars.

• bpo-42681: Fixed range checks for color and pair numbers in curses.

• bpo-42531: importlib.resources.path() now works for packages missing the optional __file__ attribute (more specifically, packages whose __spec__.origin is None).

• bpo-42388: Fix subprocess.check_output(…, input=None) behavior when text=True to be consistent with that of the documentation and universal_newlines=True.

• bpo-42384: Make pdb populate sys.path[0] exactly the same as regular python execution.

• bpo-42383: Fix pdb: previously pdb would fail to restart the debugging target if it was specified using a relative path and the current directory changed.

• bpo-42318: Fixed support of non-BMP characters in tkinter on macOS.

• bpo-42005: Fix CLI of cProfile and profile to catch BrokenPipeError.

• bpo-41604: Don’t decrement the reference count of the previous user_ptr when set_panel_userptr fails.

• bpo-26407: Unexpected errors in calling the __iter__ method are no longer masked by TypeError in csv.reader(), csv.writer.writerow() and csv.writer.writerows().

• bpo-39068: Fix initialization race condition in a85encode() and b85encode() in base64. Patch by Brandon Stansbury.

• bpo-36589: The curses.update_lines_cols() function now returns None instead of 1 on success.

• bpo-33289: Correct call to tkinter.colorchooser to return RGB triplet of ints instead of floats. Patch by Cheryl Sabella.

Documentation

• bpo-40304: Fix doc for type(name, bases, dict). Patch by Boris Verkhovskiy and Éric Araujo.

• bpo-42811: Updated importlib.utils.resolve_name() doc to use __spec__.parent instead of __package__. (Thanks Yair Frid.)

Tests

• bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.

• bpo-40810: In sqlite3, fix CheckTraceCallbackContent for SQLite pre 3.7.15.

Build

• bpo-29076: Add fish shell support to macOS installer.

Windows

• bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i

• bpo-42584: Upgrade Windows installer to use SQLite 3.34.0.

macOS

• bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i.

• bpo-42584: Update macOS installer to use SQLite 3.34.0.

IDLE

• bpo-43008: Make IDLE invoke sys.excepthook() in normal, 2-process mode. Patch by Ken Hilton.

• bpo-33065: Fix problem debugging user classes with __repr__ method.

• bpo-42508: Keep IDLE running on macOS. Remove obsolete workaround that prevented running files with shortcuts when using new universal2 installers built on macOS 11.

• bpo-23544: Disable Debug=>Stack Viewer when user code is running or Debugger is active, to prevent hang or crash. Patch by Zackery Spytz.

• bpo-32631: Finish zzdummy example extension module: make menu entries work; add docstrings and tests with 100% coverage.

Tools/Demos

• bpo-42726: Fixed Python 3 compatibility issue with gdb/libpython.py handling of attribute dictionaries.

C API

• bpo-43030: Fixed a compiler warning in Py_UNICODE_ISSPACE() on platforms with signed wchar_t.

• bpo-40052: Fix an alignment build warning/error in function PyVectorcall_Function(). Patch by Andreas Schneider, Antoine Pitrou and Petr Viktorin.

Python 3.8.7 final

Release date: 2020-12-21

Core and Builtins

• bpo-32381: Fix encoding name when running a .pyc file on Windows: PyRun_SimpleFileExFlags() now uses the correct encoding to decode the filename.

• bpo-42536: Several built-in and standard library types now ensure that their internal result tuples are always tracked by the garbage collector:

  • collections.OrderedDict.items()

  • dict.items()

  • enumerate()

  • functools.reduce()

  • itertools.combinations()

  • itertools.combinations_with_replacement()

  • itertools.permutations()

  • itertools.product()

  • itertools.zip_longest()

  • zip()

  Previously, they could have become untracked by a prior garbage collection. Patch by Brandt Bucher.

Library

• bpo-42630: tkinter functions and constructors which need a default root window raise now RuntimeError with descriptive message instead of obscure AttributeError or NameError if it is not created yet or cannot be created automatically.

• bpo-42644: logging.disable will now validate the types and value of its parameter. It also now accepts strings representing the levels (as does loging.setLevel) instead of only the numerical values.

• bpo-36541: Fixed lib2to3.pgen2 to be able to parse PEP-570 positional only argument syntax.

• bpo-42375: subprocess module update for DragonFlyBSD support.

• bpo-39825: Windows: Change sysconfig.get_config_var('EXT_SUFFIX') to the expected full platform_tag.extension format. Previously it was hard-coded to .pyd, now it is compatible with distutils.sysconfig and will result in something like .cp38-win_amd64.pyd. This brings windows into conformance with the other platforms.

• bpo-39101: Fixed tests using IsolatedAsyncioTestCase from hanging on BaseExceptions.

• bpo-41907: fix format() behavior for IntFlag

• bpo-41889: Enum: fix regression involving inheriting a multiply-inherited enum

• bpo-41891: Ensure asyncio.wait_for waits for task completion

• bpo-40219: Lowered tkinter.ttk.LabeledScale dummy widget to prevent hiding part of the content label.

• bpo-40084: Fix Enum.__dir__: dir(Enum.member) now includes attributes as well as methods.

Documentation

• bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.

Build

• bpo-42604: Now all platforms use a value for the “EXT_SUFFIX” build variable derived from SOABI (for instance in freeBSD, “EXT_SUFFIX” is now “.cpython-310d.so” instead of “.so”). Previosuly only Linux, Mac and VxWorks were using a value for “EXT_SUFFIX” that included “SOABI”.

• bpo-42598: Fix implicit function declarations in configure which could have resulted in incorrect configuration checks. Patch contributed by Joshua Root.

Tools/Demos

• bpo-42613: Fix freeze.py tool to use the prope config and library directories. Patch by Victor Stinner.

Python 3.8.7 release candidate 1

Release date: 2020-12-07

Security

• bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

• bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.

• bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.

Core and Builtins

• bpo-41686: On Windows, the SIGINT event, _PyOS_SigintEvent(), is now created even if Python is configured to not install signal handlers (if PyConfig.install_signal_handlers equals to 0, or Py_InitializeEx(0)).

• bpo-42143: Fix handling of errors during creation of PyFunctionObject, which resulted in operations on uninitialized memory. Patch by Yonatan Goldschmidt.

• bpo-41984: The garbage collector now tracks all user-defined classes. Patch by Brandt Bucher.

• bpo-41909: Fixed stack overflow in issubclass() and isinstance() when getting the __bases__ attribute leads to infinite recursion.

• bpo-41894: When loading a native module and a load failure occurs, prevent a possible UnicodeDecodeError when not running in a UTF-8 locale by decoding the load error message using the current locale’s encoding.

Library

• bpo-17735: inspect.findsource() now raises OSError instead of IndexError when co_lineno of a code object is greater than the file length. This can happen, for example, when a file is edited after it was imported. PR by Irit Katriel.

• bpo-42116: Fix handling of trailing comments by inspect.getsource().

• bpo-42482: TracebackException no longer holds a reference to the exception’s traceback object. Consequently, instances of TracebackException for equivalent but non-equal exceptions now compare as equal.

• bpo-42406: We fixed an issue in pickle.whichmodule in which importing multiprocessing could change the how pickle identifies which module an object belongs to, potentially breaking the unpickling of those objects.

• bpo-42328: Fixed tkinter.ttk.Style.map(). The function accepts now the representation of the default state as empty sequence (as returned by Style.map()). The structure of the result is now the same on all platform and does not depend on the value of wantobjects.

• bpo-42014: The onerror callback from shutil.rmtree now receives correct function when os.open fails.

• bpo-42237: Fix os.sendfile() on illumos.

• bpo-42249: Fixed writing binary Plist files larger than 4 GiB.

• bpo-35455: On Solaris, thread_time() is now implemented with gethrvtime() because clock_gettime(CLOCK_THREAD_CPUTIME_ID) is not always available. Patch by Jakub Kulik.

• bpo-41754: webbrowser: Ignore NotADirectoryError when calling xdg-settings.

• bpo-29566: binhex.binhex() consisently writes macOS 9 line endings.

• bpo-42183: Fix a stack overflow error for asyncio Task or Future repr().

  The overflow occurs under some circumstances when a Task or Future recursively returns itself.

• bpo-42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases).

• bpo-41491: plistlib: fix parsing XML plists with hexadecimal integer values

• bpo-32498: Clearer exception message when passing an argument of type bytes to urllib.parse.unquote(). This is only for 3.8; in 3.9 and later this function accepts bytes inputs as well. PR by Irit Katriel.

• bpo-42065: Fix an incorrectly formatted error from _codecs.charmap_decode() when called with a mapped value outside the range of valid Unicode code points. PR by Max Bernstein.

• bpo-41966: Fix pickling pure Python datetime.time subclasses. Patch by Dean Inwood.

• bpo-41976: Fixed a bug that was causing ctypes.util.find_library() to return None when triying to locate a library in an environment when gcc>=9 is available and ldconfig is not. Patch by Pablo Galindo

• bpo-41900: C14N 2.0 serialisation in xml.etree.ElementTree failed for unprefixed attributes when a default namespace was defined.

• bpo-41855: In importlib.metadata, fix issue where multiple children can be returned from FastPath.zip_children(). Backport of python-devs/importlib_metadata#117.

• bpo-41840: Fix a bug in the symtable module that was causing module-scope global variables to not be reported as both local and global. Patch by Pablo Galindo.

• bpo-41831: str() for the type attribute of the tkinter.Event object always returns now the numeric code returned by Tk instead of the name of the event type.

• bpo-41662: No longer override exceptions raised in __len__() of a sequence of parameters in sqlite3 with ProgrammingError.

• bpo-41662: Fixed crash when mutate list of parameters during iteration in sqlite3.

• bpo-34215: Clarify the error message for asyncio.IncompleteReadError when expected is None.

• bpo-41316: Fix the tarfile module to write only basename of TAR file to GZIP compression header.

• bpo-12800: Extracting a symlink from a tarball should succeed and overwrite the symlink if it already exists. The fix is to remove the existing file or symlink before extraction. Based on patch by Chris AtLee, Jeffrey Kintscher, and Senthil Kumaran.

• bpo-16936: Allow ctypes.wintypes to be imported on non-Windows systems.

• bpo-40592: shutil.which() now ignores empty entries in PATHEXT instead of treating them as a match.

• bpo-40492: Fix --outfile for cProfile / profile not writing the output file in the original directory when the program being profiled changes the working directory. PR by Anthony Sottile.

• bpo-40105: ZipFile truncates files to avoid corruption when a shorter comment is provided in append (“a”) mode. Patch by Jan Mazur.

• bpo-27321: Fixed KeyError exception when flattening an email to a string attempts to replace a non-existent Content-Transfer-Encoding header.

• bpo-32793: Fix a duplicated debug message when smtplib.SMTP.connect() is called.

Documentation

• bpo-42153: Fix the URL for the IMAP protocol documents.

• bpo-41910: Document the default implementation of object.__eq__.

• bpo-41774: In Programming FAQ “Sequences (Tuples/Lists)” section, add “How do you remove multiple items from a list”.

• bpo-39416: Document some restrictions on the default string representations of numeric classes.

Tests

• bpo-41473: Reenable test_gdb on gdb 9.2 and newer: https://bugzilla.redhat.com/show_bug.cgi?id=1866884 bug is fixed in gdb 10.1.

• bpo-42553: Fix test_asyncio.test_call_later() race condition: don’t measure asyncio performance in the call_later() unit test. The test failed randomly on the CI.

• bpo-40754: Include _testinternalcapi module in Windows installer for test suite

• bpo-41739: Fix test_logging.test_race_between_set_target_and_flush(): the test now waits until all threads complete to avoid leaking running threads.

• bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.

• bpo-41939: Fix test_site.test_license_exists_at_url(): call urllib.request.urlcleanup() to reset the global urllib.request._opener. Patch by Victor Stinner.

• bpo-41561: test_ssl: skip test_min_max_version_mismatch when TLS 1.0 is not available

• bpo-41602: Add tests for SIGINT handling in the runpy module.

• bpo-41306: Fixed a failure in test_tk.test_widgets.ScaleTest happening when executing the test with Tk 8.6.10.

Build

• bpo-42398: Fix a race condition in “make regen-all” when make -jN option is used to run jobs in parallel. The clinic.py script now only use atomic write to write files. Moveover, generated files are now left unchanged if the content does not change, to not change the file modification time.

Windows

• bpo-42120: Remove macro definition of copysign (to _copysign) in headers.

• bpo-38439: Updates the icons for IDLE in the Windows Store package.

• bpo-41557: Update Windows installer to use SQLite 3.33.0.

• bpo-38324: Avoid Unicode errors when accessing certain locale data on Windows.

macOS

• bpo-38443: The --enable-universalsdk and --with-universal-archs options for the configure script now check that the specified architectures can be used.

• bpo-41471: Ignore invalid prefix lengths in system proxy excludes.

• bpo-41557: Update macOS installer to use SQLite 3.33.0.

IDLE

• bpo-42426: Fix reporting offset of the RE error in searchengine.

• bpo-42415: Get docstrings for IDLE calltips more often by using inspect.getdoc.

• bpo-33987: Mostly finish using ttk widgets, mainly for editor, settings, and searches. Some patches by Mark Roseman.

• bpo-41775: Use ‘IDLE Shell’ as shell title

• bpo-40511: Typing opening and closing parentheses inside the parentheses of a function call will no longer cause unnecessary “flashing” off and on of an existing open call-tip, e.g. when typed in a string literal.

• bpo-38439: Add a 256×256 pixel IDLE icon to the Windows .ico file. Created by Andrew Clover. Remove the low-color gif variations from the .ico file.

C API

• bpo-41986: Py_FileSystemDefaultEncodeErrors and Py_UTF8Mode are available again in limited API.

Python 3.8.6 final

Release date: 2020-09-23

Core and Builtins

• bpo-41525: The output of python --help contains now only ASCII characters.

Library

• bpo-41817: fix tkinter.EventType Enum so all members are strings, and none are tuples

• bpo-41815: Fix SQLite3 segfault when backing up closed database. Patch contributed by Peter David McCormick.

• bpo-41517: fix bug allowing Enums to be extended via multiple inheritance

• bpo-39587: use the correct mix-in data type when constructing Enums

• bpo-41789: Honor object overrides in Enum class creation (specifically, __str__, __repr__, __format__, and __reduce_ex__).

• bpo-39651: Fix a race condition in the call_soon_threadsafe() method of asyncio.ProactorEventLoop: do nothing if the self-pipe socket has been closed.

• bpo-41720: Fixed turtle.Vec2D.__rmul__() for arguments which are not int or float.

• bpo-39728: fix default _missing_ so a duplicate ValueError is not set as the __context__ of the original ValueError

• bpo-37479: When Enum.__str__ is overridden in a derived class, the override will be used by Enum.__format__ regardless of whether mixin classes are present.

Documentation

• bpo-35293: Fix RemovedInSphinx40Warning when building the documentation. Patch by Dong-hee Na.

• bpo-37149: Change Shipman tkinter doc link from archive.org to TkDocs. (The doc has been removed from the NMT server.) The new link responds much faster and includes a short explanatory note.

Tests

• bpo-41731: Make test_cmd_line_script pass with option ‘-vv’.

Windows

• bpo-41744: Fixes automatic import of props file when using the Nuget package.

IDLE

• bpo-35764: Rewrite the Calltips doc section.

• bpo-40181: In calltips, stop reminding that ‘/’ marks the end of positional-only arguments.

Python 3.8.6 release candidate 1

Release date: 2020-09-07

Core and Builtins

• bpo-41654: Fix a crash that occurred when destroying subclasses of MemoryError. Patch by Pablo Galindo.

• bpo-41533: Free the stack allocated in va_build_stack if do_mkstack fails and the stack is not a small_stack.

• bpo-38156: Handle interrupts that come after EOF correctly in PyOS_StdioReadline.

Library

• bpo-41696: Fix handling of debug mode in asyncio.run(). This allows setting PYTHONASYNCIODEBUG or -X dev to enable asyncio debug mode when using asyncio.run().

• bpo-39010: Restarting a ProactorEventLoop on Windows no longer logs spurious ConnectionResetErrors.

• bpo-41609: The pdb whatis command correctly reports instance methods as ‘Method’ rather than ‘Function’.

• bpo-32751: When cancelling the task due to a timeout, asyncio.wait_for() will now wait until the cancellation is complete also in the case when timeout is <= 0, like it does with positive timeouts.

• bpo-37658: asyncio.wait_for() now properly handles races between cancellation of itself and the completion of the wrapped awaitable.

• bpo-40782: Change the method asyncio.AbstractEventLoop.run_in_executor to not be a coroutine.

• bpo-41520: Fix codeop regression that prevented turning compile warnings into errors.

• bpo-41503: Fixed a race between setTarget and flush in logging.handlers.MemoryHandler.

• bpo-41497: Fix potential UnicodeDecodeError in dis module.

• bpo-41490: Update ensurepip to install pip 20.2.1 and setuptools 49.2.1.

• bpo-41467: On Windows, fix asyncio recv_into() return value when the socket/pipe is closed (BrokenPipeError): return 0 rather than an empty byte string (b'').

• bpo-41425: Make tkinter doc example runnable.

• bpo-41384: Raise TclError instead of TypeError when an unknown option is passed to tkinter.OptionMenu.

• bpo-38731: Fix NameError in command-line interface of py_compile.

• bpo-41364: Reduce import overhead of uuid.

• bpo-41344: Prevent creating shared_memory.SharedMemory objects with size=0.

• bpo-40726: Handle cases where the end_lineno is None on ast.increment_lineno().

• bpo-31122: ssl.wrap_socket() now raises ssl.SSLEOFError rather than OSError when peer closes connection during TLS negotiation

• bpo-33660: Fix pathlib.PosixPath to resolve a relative path located on the root directory properly.

Documentation

• bpo-41624: Fix the signature of typing.Coroutine.

• bpo-40204: Enable Sphinx 3.2 c_allow_pre_v3 option and disable c_warn_on_allowed_pre_v3 option to make the documentation compatible with Sphinx 2 and Sphinx 3.

• bpo-41045: Add documentation for debug feature of f-strings.

• bpo-41314: Changed the release when from __future__ import annotations becomes the default from 4.0 to 3.10 (following a change in PEP 563).

• bpo-39883: Make code, examples, and recipes in the Python documentation be licensed under the more permissive BSD0 license in addition to the existing Python 2.0 license.

Windows

• bpo-41492: Fixes the description that appears in UAC prompts.

• bpo-40741: Update Windows release to include SQLite 3.32.3.

IDLE

• bpo-41468: Improve IDLE run crash error message (which users should never see).

• bpo-41373: Save files loaded with no line ending, as when blank, or different line endings, by setting its line ending to the system default. Fix regression in 3.8.4 and 3.9.0b4.

C API

• bpo-41524: Fix bug in PyOS_mystrnicmp and PyOS_mystricmp that incremented pointers beyond the end of a string.

Python 3.8.5 final

Release date: 2020-07-20

Security

• bpo-41304: Fixes python3x._pth being ignored on Windows, caused by the fix for bpo-29778 (CVE-2020-15801).

• bpo-39603: Prevent http header injection by rejecting control characters in http.client.putrequest(…).

Core and Builtins

• bpo-41295: Resolve a regression in CPython 3.8.4 where defining “__setattr__” in a multi-inheritance setup and calling up the hierarchy chain could fail if builtins/extension types were involved in the base types.

Library

• bpo-41288: Unpickling invalid NEWOBJ_EX opcode with the C implementation raises now UnpicklingError instead of crashing.

• bpo-39017: Avoid infinite loop when reading specially crafted TAR files using the tarfile module (CVE-2019-20907).

Documentation

• bpo-37703: Updated Documentation to comprehensively elaborate on the behaviour of gather.cancel()

Build

• bpo-41302: Enable building Python 3.8 with libmpdec-2.5.0 to ease maintenance for Linux distributions. Patch by Felix Yan.

macOS

• bpo-40741: Update macOS installer to use SQLite 3.32.3.

IDLE

• bpo-41300: Save files with non-ascii chars. Fix regression released in 3.9.0b4 and 3.8.4.

Python 3.8.4 final

Release date: 2020-07-13

Security

• bpo-41162: Audit hooks are now cleared later during finalization to avoid missing events.

• bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (CVE-2020-15523).

Core and Builtins

• bpo-41247: Always cache the running loop holder when running asyncio.set_running_loop.

• bpo-41252: Fix incorrect refcounting in _ssl.c’s _servername_callback().

• bpo-41218: Python 3.8.3 had a regression where compiling with ast.PyCF_ALLOW_TOP_LEVEL_AWAIT would aggressively mark list comprehension with CO_COROUTINE. Now only list comprehension making use of async/await will tagged as so.

• bpo-41175: Guard against a NULL pointer dereference within bytearrayobject triggered by the bytearray() + bytearray() operation.

• bpo-39960: The “hackcheck” that prevents sneaking around a type’s __setattr__() by calling the superclass method was rewritten to allow C implemented heap types.

Library

• bpo-41235: Fix the error handling in ssl.SSLContext.load_dh_params().

• bpo-41193: The write_history() atexit function of the readline completer now ignores any OSError to ignore error if the filesystem is read-only, instead of only ignoring FileNotFoundError and PermissionError.

• bpo-41043: Fixed the use of glob() in the stdlib: literal part of the path is now always correctly escaped.

• bpo-39384: Fixed email.contentmanager to allow set_content() to set a null string.

IDLE

• bpo-37765: Add keywords to module name completion list. Rewrite Completions section of IDLE doc.

• bpo-41152: The encoding of stdin, stdout and stderr in IDLE is now always UTF-8.

Python 3.8.4 release candidate 1

Release date: 2020-06-29

Security

• bpo-41004: The __hash__() methods of ipaddress.IPv4Interface and ipaddress.IPv6Interface incorrectly generated constant hash values of 32 and 128 respectively. This resulted in always causing hash collisions. The fix uses hash() to generate hash values for the tuple of (address, mask length, network address).

• bpo-39073: Disallow CR or LF in email.headerregistry.Address arguments to guard against header injection attacks.

Core and Builtins

• bpo-41094: Fix decoding errors with audit when open files with non-ASCII names on non-UTF-8 locale.

• bpo-41056: Fixes a reference to deallocated stack space during startup when constructing sys.path involving a relative symlink when code was supplied via -c. (discovered via Coverity)

• bpo-35975: Stefan Behnel reported that cf_feature_version is used even when PyCF_ONLY_AST is not set. This is against the intention and against the documented behavior, so it’s been fixed.

• bpo-40957: Fix refleak in _Py_fopen_obj() when PySys_Audit() fails

• bpo-40870: Raise ValueError when validating custom AST’s where the constants True, False and None are used within a ast.Name node.

• bpo-40826: Fix GIL usage in PyOS_Readline(): lock the GIL to set an exception and pass the Python thread state when checking if there is a pending signal.

• bpo-40824: Unexpected errors in calling the __iter__ method are no longer masked by TypeError in the in operator and functions contains(), indexOf() and countOf() of the operator module.

• bpo-40663: Correctly generate annotations where parentheses are omitted but required (e.g: Type[(str, int, *other))].

Library

• bpo-41138: Fixed the trace module CLI for Python source files with non-UTF-8 encoding.

• bpo-31938: Fix default-value signatures of several functions in the select module - by Anthony Sottile.

• bpo-41068: Fixed reading files with non-ASCII names from ZIP archive directly after writing them.

• bpo-41058: pdb.find_function() now correctly determines the source file encoding.

• bpo-41056: Fix a NULL pointer dereference within the ssl module during a MemoryError in the keylog callback. (discovered by Coverity)

• bpo-41048: mimetypes.read_mime_types() function reads the rule file using UTF-8 encoding, not the locale encoding. Patch by Srinivas Reddy Thatiparthy.

• bpo-40448: ensurepip now disables the use of pip cache when installing the bundled versions of pip and setuptools. Patch by Krzysztof Konopko.

• bpo-40855: The standard deviation and variance functions in the statistics module were ignoring their mu and xbar arguments.

• bpo-40807: Stop codeop._maybe_compile, used by code.InteractiveInterpreter (and IDLE). from from emitting each warning three times.

• bpo-40834: Fix truncate when sending str object with_xxsubinterpreters.channel_send.

• bpo-38488: Update ensurepip to install pip 20.1.1 and setuptools 47.1.0.

• bpo-40767: webbrowser now properly finds the default browser in pure Wayland systems by checking the WAYLAND_DISPLAY environment variable. Patch contributed by Jérémy Attali.

• bpo-40795: ctypes module: If ctypes fails to convert the result of a callback or if a ctypes callback function raises an exception, sys.unraisablehook is now called with an exception set. Previously, the error was logged into stderr by PyErr_Print().

• bpo-30008: Fix ssl code to be compatible with OpenSSL 1.1.x builds that use no-deprecated and --api=1.1.0.

• bpo-40614: ast.parse() will not parse self documenting expressions in f-strings when passed feature_version is less than (3, 8).

• bpo-40626: Add h5 file extension as MIME Type application/x-hdf5, as per HDF Group recommendation for HDF5 formatted data files. Patch contributed by Mark Schwab.

• bpo-25872: linecache could crash with a KeyError when accessed from multiple threads. Fix by Michael Graczyk.

• bpo-40597: If text content lines are longer than policy.max_line_length, always use a content-encoding to make sure they are wrapped.

• bpo-40515: The ssl and hashlib modules now actively check that OpenSSL is build with thread support. Python 3.7.0 made thread support mandatory and no longer works safely with a no-thread builds.

• bpo-13097: ctypes now raises an ArgumentError when a callback is invoked with more than 1024 arguments.

• bpo-40457: The ssl module now support OpenSSL builds without TLS 1.0 and 1.1 methods.

• bpo-39830: Add zipfile.Path to __all__ in the zipfile module.

• bpo-40025: Raise TypeError when _generate_next_value_ is defined after members. Patch by Ethan Onstott.

• bpo-39244: Fixed multiprocessing.context.get_all_start_methods to properly return the default method first on macOS.

• bpo-39040: Fix parsing of invalid mime headers parameters by collapsing whitespace between encoded words in a bare-quote-string.

• bpo-35714: struct.error is now raised if there is a null character in a struct format string.

• bpo-36290: AST nodes are now raising TypeError on conflicting keyword arguments. Patch contributed by Rémi Lapeyre.

• bpo-29620: assertWarns() no longer raises a RuntimeException when accessing a module’s __warningregistry__ causes importation of a new module, or when a new module is imported in another thread. Patch by Kernc.

• bpo-34226: Fix cgi.parse_multipart without content_length. Patch by Roger Duran

Tests

• bpo-41085: Fix integer overflow in the array.array.index() method on 64-bit Windows for index larger than 2**31.

• bpo-38377: On Linux, skip tests using multiprocessing if the current user cannot create a file in /dev/shm/ directory. Add the skip_if_broken_multiprocessing_synchronize() function to the test.support module.

• bpo-41009: Fix use of support.require_{linux|mac|freebsd}_version() decorators as class decorator.

• bpo-41003: Fix test_copyreg when numpy is installed: test.pickletester now saves/restores warnings filters when importing numpy, to ignore filters installed by numpy.

• bpo-40964: Disable remote imaplib tests, host cyrus.andrew.cmu.edu is blocking incoming connections.

• bpo-40055: distutils.tests now saves/restores warnings filters to leave them unchanged. Importing tests imports docutils which imports pkg_resources which adds a warnings filter.

• bpo-34401: Make test_gdb properly run on HP-UX. Patch by Michael Osipov.

Build

• bpo-40204: Pin Sphinx version to 2.3.1 in Doc/Makefile.

• bpo-40653: Move _dirnameW out of HAVE_SYMLINK to fix a potential compiling issue.

Windows

• bpo-41074: Fixed support of non-ASCII names in functions msilib.OpenDatabase() and msilib.init_database() and non-ASCII SQL in method msilib.Database.OpenView().

• bpo-40164: Updates Windows OpenSSL to 1.1.1g

• bpo-39631: Changes the registered MIME type for .py files on Windows to text/x-python instead of text/plain.

• bpo-40677: Manually define IO_REPARSE_TAG_APPEXECLINK in case some old Windows SDK doesn’t have it.

• bpo-40650: Include winsock2.h in pytime.c for timeval.

• bpo-39148: Add IPv6 support to asyncio datagram endpoints in ProactorEventLoop. Change the raised exception for unknown address families to ValueError as it’s not coming from Windows API.

macOS

• bpo-39580: Avoid opening Finder window if running installer from the command line. Patch contributed by Rick Heil.

• bpo-41100: Fix configure error when building on macOS 11. Note that the current Python release was released shortly after the first developer preview of macOS 11 (Big Sur); there are other known issues with building and running on the developer preview. Big Sur is expected to be fully supported in a future bugfix release of Python 3.8.x and with 3.9.0.

• bpo-41005: fixed an XDG settings issue not allowing macos to open browser in webbrowser.py

• bpo-40741: Update macOS installer to use SQLite 3.32.2.

IDLE

• bpo-41144: Make Open Module open a special module such as os.path.

• bpo-39885: Make context menu Cut and Copy work again when right-clicking within a selection.

• bpo-40723: Make test_idle pass when run after import.

Tools/Demos

• bpo-40479: Update multissltest helper to test with latest OpenSSL 1.0.2, 1.1.0, 1.1.1, and 3.0.0-alpha.

• bpo-40163: Fix multissltest tool. OpenSSL has changed download URL for old releases. The multissltest tool now tries to download from current and old download URLs.

Python 3.8.3 final

Release date: 2020-05-13

Core and Builtins

• bpo-40527: Fix command line argument parsing: no longer write errors multiple times into stderr.

• bpo-40417: Fix imp module deprecation warning when PyImport_ReloadModule is called. Patch by Robert Rouhani.

• bpo-39562: The constant values of future flags in the __future__ module are updated in order to prevent collision with compiler flags. Previously PyCF_ALLOW_TOP_LEVEL_AWAIT was clashing with CO_FUTURE_DIVISION.

Library

• bpo-40559: Fix possible memory leak in the C implementation of asyncio.Task.

• bpo-40355: Improve error reporting in ast.literal_eval() in the presence of malformed ast.Dict nodes instead of silently ignoring any non-conforming elements. Patch by Curtis Bucher.

• bpo-40459: platform.win32_ver() now produces correct ptype strings instead of empty strings.

• bpo-40398: typing.get_args() now always returns an empty tuple for special generic aliases.

Documentation

• bpo-40561: Provide docstrings for webbrowser open functions.

• bpo-39435: Fix an incorrect signature for pickle.loads() in the docs

Windows

• bpo-40458: Increase reserved stack space to prevent overflow crash on Windows.

C API

• bpo-40412: Nullify inittab_copy during finalization, preventing future interpreter initializations in an embedded situation from crashing. Patch by Gregory Szorc.

Python 3.8.3 release candidate 1

Release date: 2020-04-29

Security

• bpo-40121: Fixes audit events raised on creating a new socket.

• bpo-38576: Disallow control characters in hostnames in http.client, addressing CVE-2019-18348. Such potentially malicious header injection URLs now cause a InvalidURL to be raised.

• bpo-39503: CVE-2020-8492: The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression which can be exploited by an attacker to cause a denial of service. Fix the regex to prevent the catastrophic backtracking. Vulnerability reported by Ben Caller and Matt Schwager.

Core and Builtins

• bpo-20526: Fix PyThreadState_Clear(). PyThreadState.frame is a borrowed reference, not a strong reference: PyThreadState_Clear() must not call Py_CLEAR(tstate->frame).

• bpo-39965: Correctly raise SyntaxError if await is used inside non-async functions and PyCF_ALLOW_TOP_LEVEL_AWAIT is set (like in the asyncio REPL). Patch by Pablo Galindo.

• bpo-39562: Allow executing asynchronous comprehensions on the top level when the PyCF_ALLOW_TOP_LEVEL_AWAIT flag is given. Patch by Batuhan Taskaya.

• bpo-38894: Fix a bug that was causing incomplete results when calling pathlib.Path.glob in the presence of symlinks that point to files where the user does not have read access. Patch by Pablo Galindo and Matt Wozniski.

• bpo-39871: Fix a possible SystemError in math.{atan2,copysign,remainder}() when the first argument cannot be converted to a float. Patch by Zackery Spytz.

• bpo-39776: Fix race condition where threads created by PyGILState_Ensure() could get a duplicate id.

  This affects consumers of tstate->id like the contextvar caching machinery, which could return invalid cached objects under heavy thread load (observed in embedded scenarios).

• bpo-39778: Fixed a crash due to incorrect handling of weak references in collections.OrderedDict classes. Patch by Pablo Galindo.

• bpo-39520: Fix unparsing of ext slices with no items (foo[:,]). Patch by Batuhan Taskaya.

• bpo-22490: Don’t leak environment variable __PYVENV_LAUNCHER__ into the interpreter session on macOS.

Library

• bpo-40138: Fix the Windows implementation of os.waitpid() for exit code larger than INT_MAX >> 8. The exit status is now interpreted as an unsigned number.

• bpo-39942: Set “__main__” as the default module name when “__name__” is missing in typing.TypeVar. Patch by Weipeng Hong.

• bpo-40330: In ShareableList.__setitem__(), check the size of a new string item after encoding it to utf-8, not before.

• bpo-40287: Fixed SpooledTemporaryFile.seek() to return the position.

• bpo-40260: Ensure modulefinder uses io.open_code() and respects coding comments.

• bpo-40196: Fix a bug in the symtable module that was causing incorrectly report global variables as local. Patch by Pablo Galindo.

• bpo-40126: Fixed reverting multiple patches in unittest.mock. Patcher’s __exit__() is now never called if its __enter__() is failed. Returning true from __exit__() silences now the exception.

• bpo-40089: Fix threading._after_fork(): if fork was not called by a thread spawned by threading.Thread, threading._after_fork() now creates a _MainThread instance for _main_thread, instead of a _DummyThread instance.

• bpo-39503: AbstractBasicAuthHandler of urllib.request now parses all WWW-Authenticate HTTP headers and accepts multiple challenges per header: use the realm of the first Basic challenge.

• bpo-40014: Fix os.getgrouplist(): if getgrouplist() function fails because the group list is too small, retry with a larger group list. On failure, the glibc implementation of getgrouplist() sets ngroups to the total number of groups. For other implementations, double the group list size.

• bpo-40016: In re docstring, clarify the relationship between inline and argument compile flags.

• bpo-39953: Update internal table of OpenSSL error codes in the ssl module.

• bpo-39360: Ensure all workers exit when finalizing a multiprocessing.Pool implicitly via the module finalization handlers of multiprocessing. This fixes a deadlock situation that can be experienced when the Pool is not properly finalized via the context manager or a call to multiprocessing.Pool.terminate. Patch by Batuhan Taskaya and Pablo Galindo.

• bpo-39652: The column name found in sqlite3.Cursor.description is now truncated on the first ‘[’ only if the PARSE_COLNAMES option is set.

• bpo-39915: Ensure unittest.mock.AsyncMock.await_args_list has call objects in the order of awaited arguments instead of using unittest.mock.Mock.call_args which has the last value of the call. Patch by Karthikeyan Singaravelan.

• bpo-38662: The ensurepip module now invokes pip via the runpy module. Hence it is no longer tightly coupled with the internal API of the bundled pip version, allowing easier updates to a newer pip version both internally and for distributors.

• bpo-39916: More reliable use of os.scandir() in Path.glob(). It no longer emits a ResourceWarning when interrupted.

• bpo-39850: multiprocessing now supports abstract socket addresses (if abstract sockets are supported in the running platform). Patch by Pablo Galindo.

• bpo-39828: Fix json.tool to catch BrokenPipeError. Patch by Dong-hee Na.

• bpo-13487: Avoid a possible “RuntimeError: dictionary changed size during iteration” from inspect.getmodule() when it tried to loop through sys.modules.

• bpo-39794: Add –without-decimal-contextvar build option. This enables a thread-local rather than a coroutine local context.

• bpo-39769: The compileall.compile_dir() function’s ddir parameter and the compileall command line flag -d no longer write the wrong pathname to the generated pyc file for submodules beneath the root of the directory tree being compiled. This fixes a regression introduced with Python 3.5.

• bpo-39517: Fix runpy.run_path() when using pathlike objects

• bpo-39764: Fix AttributeError when calling get_stack on a PyAsyncGenObject Task

• bpo-30566: Fix IndexError when trying to decode an invalid string with punycode codec.

• bpo-39667: Correct performance degradation in zipfile.Path as found in zipp 3.0. While retaining compatibility, this change discourages the use of zipfile.Path.open due to the signature change in Python 3.9. For compatibility across Python 3.8 and later versions, consider using zipp.Path on Python 3.8.x and earlier.

• bpo-39548: Fix handling of header in urllib.request.AbstractDigestAuthHandler when the optional qop parameter is not present.

• bpo-38971: Open issue in the BPO indicated a desire to make the implementation of codecs.open() at parity with io.open(), which implements a try/except to assure file stream gets closed before an exception is raised.

• bpo-38410: Properly handle sys.audit() failures in sys.set_asyncgen_hooks(). Based on patch by Zackery Spytz.

• bpo-36541: lib2to3 now recognizes named assignment expressions (the walrus operator, :=)

• bpo-31758: Prevent crashes when using an uninitialized _elementtree.XMLParser object. Patch by Oren Milman.

Documentation

• bpo-27635: The pickle documentation incorrectly claimed that __new__ isn’t called by default when unpickling.

• bpo-39879: Updated Data model docs to include dict() insertion order preservation. Patch by Furkan Onder and Samy Lahfa.

• bpo-39868: Updated the Language Reference for PEP 572.

• bpo-13790: Change ‘string’ to ‘specification’ in format doc.

• bpo-17422: The language reference no longer restricts default class namespaces to dicts only.

• bpo-39530: Fix misleading documentation about mixed-type numeric comparisons.

• bpo-39718: Update token documentation to reflect additions in Python 3.8

• bpo-39677: Changed operand name of MAKE_FUNCTION from argc to flags for module dis

• bpo-38387: Document PyDoc_STRVAR macro in the C-API reference.

Tests

• bpo-40436: test_gdb and test.pythoninfo now check gdb command exit code.

• bpo-40162: Update Travis CI configuration to OpenSSL 1.1.1f.

• bpo-40146: Update OpenSSL to 1.1.1f in Azure Pipelines.

• bpo-40019: test_gdb now skips tests if it detects that gdb failed to read debug information because the Python binary is optimized.

• bpo-27807: test_site.test_startup_imports() is now skipped if a path of sys.path contains a .pth file.

• bpo-39793: Use the same domain when testing make_msgid. Patch by Batuhan Taskaya.

• bpo-1812: Fix newline handling in doctest.testfile when loading from a package whose loader has a get_data method. Patch by Peter Donis.

• bpo-37957: test.regrtest now can receive a list of test patterns to ignore (using the -i/–ignore argument) or a file with a list of patterns to ignore (using the –ignore-file argument). Patch by Pablo Galindo.

• bpo-38502: test.regrtest now uses process groups in the multiprocessing mode (-jN command line option) if process groups are available: if os.setsid() and os.killpg() functions are available.

Build

• bpo-38360: Support single-argument form of macOS -isysroot flag.

• bpo-40204: Pin Sphinx version to 1.8.2 in Doc/Makefile.

• bpo-40158: Fix CPython MSBuild Properties in NuGet Package (build/native/python.props)

• bpo-38527: Fix configure check on Solaris for “float word ordering”: sometimes, the correct “grep” command was not being used. Patch by Arnon Yaari.

Windows

• bpo-40164: Updates Windows to OpenSSL 1.1.1f

• bpo-39930: Ensures the required vcruntime140.dll is included in install packages.

• bpo-39847: Avoid hang when computer is hibernated whilst waiting for a mutex (for lock-related objects from threading) around 49-day uptime.

• bpo-38597: distutils will no longer statically link vcruntime140.dll when a redistributable version is unavailable. All future releases of CPython will include a copy of this DLL to ensure distributed extensions can continue to load.

• bpo-38380: Update Windows builds to use SQLite 3.31.1

• bpo-39789: Update Windows release build machines to Visual Studio 2019 (MSVC 14.2).

• bpo-34803: Package for nuget.org now includes repository reference and bundled icon image.

macOS

• bpo-40164: Update macOS installer builds to use OpenSSL 1.1.1g.

• bpo-38380: Update macOS builds to use SQLite 3.31.1

IDLE

• bpo-27115: For ‘Go to Line’, use a Query box subclass with IDLE standard behavior and improved error checking.

• bpo-39885: Since clicking to get an IDLE context menu moves the cursor, any text selection should be and now is cleared.

• bpo-39852: Edit “Go to line” now clears any selection, preventing accidental deletion. It also updates Ln and Col on the status bar.

• bpo-39781: Selecting code context lines no longer causes a jump.

• bpo-38439: Add a 256×256 pixel IDLE icon to support more modern environments. Created by Andrew Clover. Delete the unused macOS idle.icns icon file.

• bpo-38689: IDLE will no longer freeze when inspect.signature fails when fetching a calltip.

Tools/Demos

• bpo-40179: Fixed translation of #elif in Argument Clinic.

• bpo-36184: Port python-gdb.py to FreeBSD. python-gdb.py now checks for “take_gil” function name to check if a frame tries to acquire the GIL, instead of checking for “pthread_cond_timedwait” which is specific to Linux and can be a different condition than the GIL.

• bpo-39889: Fixed unparse.py for extended slices containing a single element (e.g. a[i:j,]). Remove redundant tuples when index with a tuple (e.g. a[i, j]).

C API

• bpo-35370: If PySys_Audit() fails in PyEval_SetProfile() or PyEval_SetTrace(), log the error as an unraisable exception.

• bpo-39884: PyDescr_NewMethod() and PyCFunction_NewEx() now include the method name in the SystemError “bad call flags” error message to ease debug.

• bpo-38643: PyNumber_ToBase() now raises a SystemError instead of crashing when called with invalid base.

• bpo-38913: Fixed segfault in Py_BuildValue() called with a format containing “#” and undefined PY_SSIZE_T_CLEAN whwn an exception is set.

Python 3.8.2 final

Release date: 2020-02-24

Core and Builtins

• bpo-39382: Fix a use-after-free in the single inheritance path of issubclass(), when the __bases__ of an object has a single reference, and so does its first item. Patch by Yonatan Goldschmidt.

• bpo-39427: Document all possibilities for the -X options in the command line help section. Patch by Pablo Galindo.

Library

• bpo-39649: Remove obsolete check for __args__ in bdb.Bdb.format_stack_entry.

• bpo-39681: Fix a regression where the C pickle module wouldn’t allow unpickling from a file-like object that doesn’t expose a readinto() method.

• bpo-39546: Fix a regression in ArgumentParser where allow_abbrev=False was ignored for long options that used a prefix character other than “-“.

• bpo-39432: Implement PEP-489 algorithm for non-ascii “PyInit_…” symbol names in distutils to make it export the correct init symbol also on Windows.

Documentation

• bpo-17422: The language reference now specifies restrictions on class namespaces. Adapted from a patch by Ethan Furman.

• bpo-39572: Updated documentation of total flag of TypeDict.

• bpo-39654: In pyclbr doc, update ‘class’ to ‘module’ where appropriate and add readmodule comment. Patch by Hakan Çelik.

IDLE

• bpo-39663: Add tests for pyparse find_good_parse_start().

Python 3.8.2 release candidate 2

Release date: 2020-02-17

Security

• bpo-39184: Add audit events to functions in fcntl, msvcrt, os, resource, shutil, signal and syslog.

Core and Builtins

• bpo-39619: Enable use of os.chroot() on HP-UX systems.

• bpo-39606: Fix regression caused by fix for bpo-39386, that prevented calling aclose on an async generator that had already been closed or exhausted.

• bpo-39453: Fixed a possible crash in list.__contains__() when a list is changed during comparing items. Patch by Dong-hee Na.

• bpo-39219: Syntax errors raised in the tokenizer now always set correct “text” and “offset” attributes.

Library

• bpo-27657: The original fix for bpo-27657, “Fix urlparse() with numeric paths” (PR 16839) included in 3.8.1, inadvertently introduced a behavior change that broke several third-party packages relying on the original undefined parsing behavior. The change is reverted in 3.8.2, restoring the behavior of 3.8.0 and earlier releases.

• bpo-39474: Fixed starting position of AST for expressions like (a)(b), (a)[b] and (a).b.

• bpo-21016: The pydoc and trace modules now use the sysconfig module to get the path to the Python standard library, to support uncommon installation path like /usr/lib64/python3.9/ on Fedora. Patch by Jan Matějek.

• bpo-39595: Improved performance of zipfile.Path for files with a large number of entries. Also improved performance and fixed minor issue as published with importlib_metadata 1.5.

IDLE

• bpo-39600: In the font configuration window, remove duplicated font names.

Python 3.8.2 release candidate 1

Release date: 2020-02-10

Security

• bpo-39401: Avoid unsafe load of api-ms-win-core-path-l1-1-0.dll at startup on Windows 7.

• bpo-39184: Add audit events to command execution functions in os and pty modules.

Core and Builtins

• bpo-39579: Change the ending column offset of Attribute nodes constructed in ast_for_dotted_name to point at the end of the current node and not at the end of the last NAME node.

• bpo-39510: Fix segfault in readinto() method on closed BufferedReader.

• bpo-39492: Fix a reference cycle in the C Pickler that was preventing the garbage collection of deleted, pickled objects.

• bpo-39421: Fix possible crashes when operating with the functions in the heapq module and custom comparison operators.

• bpo-39386: Prevent double awaiting of async iterator.

• bpo-39235: Fix AST end location for lone generator expression in function call, e.g. f(i for i in a).

• bpo-39209: Correctly handle multi-line tokens in interactive mode. Patch by Pablo Galindo.

• bpo-39216: Fix constant folding optimization for positional only arguments - by Anthony Sottile.

• bpo-39215: Fix SystemError when nested function has annotation on positional-only argument - by Anthony Sottile.

• bpo-38588: Fix possible crashes in dict and list when calling PyObject_RichCompareBool().

• bpo-38610: Fix possible crashes in several list methods by holding strong references to list elements when calling PyObject_RichCompareBool().

Library

• bpo-39590: Collections.deque now holds strong references during deque.__contains__ and deque.count, fixing crashes.

• bpo-38149: sys.audit() is now called only once per call of glob.glob() and glob.iglob().

• bpo-39450: Striped whitespace from docstring before returning it from unittest.case.shortDescription().

• bpo-39493: Mark typing.IO.closed as a property

• bpo-39485: Fix a bug in unittest.mock.create_autospec() that would complain about the wrong number of arguments for custom descriptors defined in an extension module returning functions.

• bpo-39082: Allow AsyncMock to correctly patch static/class methods

• bpo-39430: Fixed race condition in lazy imports in tarfile.

• bpo-39390: Fixed a regression with the ignore callback of shutil.copytree(). The argument types are now str and List[str] again.

• bpo-39389: Write accurate compression level metadata in gzip archives, rather than always signaling maximum compression.

• bpo-39274: bool(fraction.Fraction) now returns a boolean even if (numerator != 0) does not return a boolean (ex: numpy number).

• bpo-39297: Improved performance of importlib.metadata distribution discovery and resilients to inaccessible sys.path entries (importlib_metadata v1.4.0).

• bpo-39242: Updated the Gmane domain from news.gmane.org to news.gmane.io which is used for examples of NNTP news reader server and nntplib tests.

• bpo-38907: In http.server script, restore binding to IPv4 on Windows.

• bpo-39152: Fix ttk.Scale.configure([name]) to return configuration tuple for name or all options. Giovanni Lombardo contributed part of the patch.

• bpo-39198: If an exception were to be thrown in Logger.isEnabledFor (say, by asyncio timeouts or stopit) , the logging global lock may not be released appropriately, resulting in deadlock. This change wraps that block of code with try...finally to ensure the lock is released.

• bpo-39191: Perform a check for running loop before starting a new task in loop.run_until_complete() to fail fast; it prevents the side effect of new task spawning before exception raising.

• bpo-38871: Correctly parenthesize filter-based statements that contain lambda expressions in mod:lib2to3. Patch by Dong-hee Na.

• bpo-39142: A change was made to logging.config.dictConfig to avoid converting instances of named tuples to ConvertingTuple. It’s assumed that named tuples are too specialised to be treated like ordinary tuples; if a user of named tuples requires ConvertingTuple functionality, they will have to implement that themselves in their named tuple class.

• bpo-39129: Fix import path for asyncio.TimeoutError

• bpo-39057: urllib.request.proxy_bypass_environment() now ignores leading dots and no longer ignores a trailing newline.

• bpo-39056: Fixed handling invalid warning category in the -W option. No longer import the re module if it is not needed.

• bpo-39055: base64.b64decode() with validate=True raises now a binascii.Error if the input ends with a single \n.

• bpo-39033: Fix NameError in zipimport. Patch by Karthikeyan Singaravelan.

• bpo-38878: Fixed __subclasshook__ of os.PathLike to return a correct result upon inheritence. Patch by Bar Harel.

• bpo-35182: Fixed Popen.communicate() subsequent call crash when the child process has already closed any piped standard stream, but still continues to be running. Patch by Andriy Maletsky.

• bpo-38473: Use signature from inner mock for autospecced methods attached with unittest.mock.attach_mock(). Patch by Karthikeyan Singaravelan.

• bpo-38293: Add copy.copy() and copy.deepcopy() support to property() objects.

Documentation

• bpo-39153: Clarify refcounting semantics for the following functions: - PyObject_SetItem - PyMapping_SetItemString - PyDict_SetItem - PyDict_SetItemString

• bpo-39392: Explain that when filling with turtle, overlap regions may be left unfilled.

• bpo-39381: Mention in docs that asyncio.get_event_loop() implicitly creates new event loop only if called from the main thread.

• bpo-38918: Add an entry for __module__ in the “function” & “method” sections of the inspect docs types and members table

• bpo-3530: In the ast module documentation, fix a misleading NodeTransformer example and add advice on when to use the fix_missing_locations function.

Tests

• bpo-39502: Skip test_zipfile.test_add_file_after_2107() if time.localtime() fails with OverflowError. It is the case on AIX 6.1 for example.

• bpo-38546: Fix test_ressources_gced_in_workers() of test_concurrent_futures: explicitly stop the manager to prevent leaking a child process running in the background after the test completes.

Build

• bpo-39144: The ctags and etags build targets both include Modules/_ctypes and Python standard library source files.

Windows

• bpo-39439: Honor the Python path when a virtualenv is active on Windows.

• bpo-39393: Improve the error message when attempting to load a DLL with unresolved dependencies.

• bpo-38883: home() and expanduser() on Windows now prefer USERPROFILE and no longer use HOME, which is not normally set for regular user accounts. This makes them again behave like os.path.expanduser(), which was changed to ignore HOME in 3.8, see bpo-36264.

• bpo-39185: The build.bat script has additional options for very-quiet output (-q) and very-verbose output (-vv)

IDLE

• bpo-30780: Add remaining configdialog tests for buttons and highlights and keys tabs.

• bpo-39388: IDLE Settings Cancel button now cancels pending changes

• bpo-39050: Make IDLE Settings dialog Help button work again.

• bpo-34118: Tag memoryview, range, and tuple as classes, the same as list, etcetera, in the library manual built-in functions list.

• bpo-38792: Close an IDLE shell calltip if a KeyboardInterrupt or shell restart occurs. Patch by Zackery Spytz.

• bpo-32989: Add tests for editor newline_and_indent_event method. Remove dead code from pyparse find_good_parse_start method.

Python 3.8.1 final

Release date: 2019-12-18

Core and Builtins

• bpo-39080: Fix the value of end_col_offset for Starred Expression AST nodes when they are among the elements in the args attribute of Call AST nodes.

• bpo-39031: When parsing an “elif” node, lineno and col_offset of the node now point to the “elif” keyword and not to its condition, making it consistent with the “if” node. Patch by Lysandros Nikolaou.

• bpo-39008: PySys_Audit() now requires Py_ssize_t to be used for size arguments in the format string, regardless of whether PY_SSIZE_T_CLEAN was defined at include time.

Library

• bpo-39022: Update importlib.metadata to include improvements from importlib_metadata 1.3 including better serialization of EntryPoints and improved documentation for custom finders.

• bpo-38811: Fix an unhandled exception in pathlib when os.link() is missing. Patch by Toke Høiland-Jørgensen.

• bpo-36406: Handle namespace packages in doctest. Patch by Karthikeyan Singaravelan.

Tests

• bpo-38546: Multiprocessing and concurrent.futures tests now stop the resource tracker process when tests complete.

Windows

• bpo-39007: Add auditing events to functions in winreg.

macOS

• bpo-38295: Prevent failure of test_relative_path in test_py_compile on macOS Catalina.

IDLE

• bpo-38944: Escape key now closes IDLE completion windows. Patch by Johnny Najera.

• bpo-38943: Fix IDLE autocomplete windows not always appearing on some systems. Patch by Johnny Najera.

Python 3.8.1 release candidate 1

Release date: 2019-12-09

Security

• bpo-38945: Newline characters have been escaped when performing uu encoding to prevent them from overflowing into to content section of the encoded file. This prevents malicious or accidental modification of data during the decoding process.

• bpo-37228: Due to significant security concerns, the reuse_address parameter of asyncio.loop.create_datagram_endpoint() is no longer supported. This is because of the behavior of SO_REUSEADDR in UDP. For more details, see the documentation for loop.create_datagram_endpoint(). (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in bpo-37228.)

• bpo-38722: runpy now uses io.open_code() to open code files. Patch by Jason Killen.

• bpo-38804: Fixes a ReDoS vulnerability in http.cookiejar. Patch by Ben Caller.

• bpo-38622: Add additional audit events for the ctypes module.

• bpo-38418: Fixes audit event for os.system() to be named os.system.

Core and Builtins

• bpo-38673: In REPL mode, don’t switch to PS2 if the line starts with comment or whitespace. Based on work by Batuhan Taşkaya.

• bpo-38922: Calling replace on a code object now raises the code.__new__ audit event.

• bpo-38920: Add audit hooks for when sys.excepthook() and sys.unraisablehook() are invoked

• bpo-38892: Improve documentation for audit events table and functions.

• bpo-38707: MainThread.native_id is now correctly reset in child processes spawned using multiprocessing.Process, instead of retaining the parent’s value.

• bpo-38640: Fixed a bug in the compiler that was causing to raise in the presence of break statements and continue statements inside always false while loops. Patch by Pablo Galindo.

• bpo-38535: Fixed line numbers and column offsets for AST nodes for calls without arguments in decorators.

• bpo-38525: Fix a segmentation fault when using reverse iterators of empty dict objects. Patch by Dong-hee Na and Inada Naoki.

• bpo-35409: Ignore GeneratorExit exceptions when throwing an exception into the aclose coroutine of an asynchronous generator.

Library

• bpo-39006: Fix asyncio when the ssl module is missing: only check for ssl.SSLSocket instance if the ssl module is available.

• bpo-38708: Fix a potential IndexError in email parser when parsing an empty msg-id.

• bpo-38698: Add a new InvalidMessageID token to email parser to represent invalid Message-ID headers. Also, add defects when there is remaining value after parsing the header.

• bpo-38979: Return class from ContextVar.__class_getitem__ to simplify subclassing.

• bpo-38986: Make repr of C accelerated TaskWakeupMethWrapper the same as of pure Python version.

• bpo-38529: Drop too noisy asyncio warning about deletion of a stream without explicit .close() call.

• bpo-38634: The readline module now detects if Python is linked to libedit at runtime on all platforms. Previously, the check was only done on macOS.

• bpo-33684: Fix json.tool failed to read a JSON file with non-ASCII characters when locale encoding is not UTF-8.

• bpo-38698: Prevent UnboundLocalError to pop up in parse_message_id

  parse_message_id() was improperly using a token defined inside an exception handler, which was raising UnboundLocalError on parsing an invalid value. Patch by Claudiu Popa.

• bpo-26730: Fix SpooledTemporaryFile.rollover() might corrupt the file when it is in text mode. Patch by Serhiy Storchaka.

• bpo-38668: Calling func:shutil.copytree to copy a directory tree from one directory to another subdirectory resulted in an endless loop and a RecursionError. A fix was added to consume an iterator and create the list of the entries to be copied, avoiding the recursion for newly created directories. Patch by Bruno P. Kinoshita.

• bpo-37838: typing.get_type_hints() properly handles functions decorated with functools.wraps().

• bpo-38859: AsyncMock now returns StopAsyncIteration on the exaustion of a side_effects iterable. Since PEP-479 its Impossible to raise a StopIteration exception from a coroutine.

• bpo-38857: AsyncMock fix for return values that are awaitable types. This also covers side_effect iterable values that happend to be awaitable, and wraps callables that return an awaitable type. Before these awaitables were being awaited instead of being returned as is.

• bpo-38821: Fix unhandled exceptions in argparse when internationalizing error messages for arguments with nargs set to special (non-integer) values. Patch by Federico Bond.

• bpo-38820: Make Python compatible with OpenSSL 3.0.0. ssl.SSLSocket.getpeercert() no longer returns IPv6 addresses with a trailing new line.

• bpo-38807: Update TypeError messages for os.path.join() to include os.PathLike objects as acceptable input types.

• bpo-38785: Prevent asyncio from crashing if parent __init__ is not called from a constructor of object derived from asyncio.Future.

• bpo-38723: pdb now uses io.open_code() to trigger auditing events.

• bpo-27805: Allow opening pipes and other non-seekable files in append mode with open().

• bpo-38686: Added support for multiple qop values in urllib.request.AbstractDigestAuthHandler.

• bpo-38334: Fixed seeking backward on an encrypted zipfile.ZipExtFile.

• bpo-34679: asynci.ProactorEventLoop.close() now only calls signal.set_wakeup_fd() in the main thread.

• bpo-31202: The case the result of pathlib.WindowsPath.glob() matches now the case of the pattern for literal parts.

• bpo-38521: Fixed erroneous equality comparison in statistics.NormalDist().

• bpo-38478: Fixed a bug in inspect.signature.bind() that was causing it to fail when handling a keyword argument with same name as positional-only parameter. Patch by Pablo Galindo.

• bpo-33604: Fixed hmac.new and hmac.HMAC to raise TypeError instead of ValueError when the digestmod parameter, now required in 3.8, is omitted. Also clarified the hmac module documentation and docstrings.

• bpo-38422: Clarify docstrings of pathlib suffix(es)

• bpo-36993: Improve error reporting for corrupt zip files with bad zip64 extra data. Patch by Daniel Hillier.

• bpo-36820: Break cycle generated when saving an exception in socket.py, codeop.py and dyld.py as they keep alive not only the exception but user objects through the __traceback__ attribute. Patch by Mario Corchero.

• bpo-34776: Fix dataclasses to support forward references in type annotations

• bpo-33348: lib2to3 now recognizes expressions after * and ** like in f(*[] or []).

• bpo-27657: Fix urllib.parse.urlparse() with numeric paths. A string like “path:80” is no longer parsed as a path but as a scheme (“path”) and a path (“80”).

Documentation

• bpo-38816: Provides more details about the interaction between fork() and CPython’s runtime, focusing just on the C-API. This includes cautions about where fork() should and shouldn’t be called.

• bpo-38351: Modernize email examples from %-formatting to f-strings.

• bpo-38778: Document the fact that RuntimeError is raised if os.fork() is called in a subinterpreter.

• bpo-38592: Add Brazilian Portuguese to the language switcher at Python Documentation website.

Tests

• bpo-38547: Fix test_pty: if the process is the session leader, closing the master file descriptor raises a SIGHUP signal: simply ignore SIGHUP when running the tests.

• bpo-38992: Fix a test for math.fsum() that was failing due to constant folding.

• bpo-38965: Fix test_faulthandler on GCC 10. Use the “volatile” keyword in faulthandler._stack_overflow() to prevent tail call optimization on any compiler, rather than relying on compiler specific pragma.

• bpo-38875: test_capi: trashcan tests now require the test “cpu” resource.

• bpo-38841: Skip asyncio test_create_datagram_endpoint_existing_sock_unix on platforms lacking a functional bind() for named unix domain sockets.

• bpo-38669: Raise TypeError when passing target as a string with unittest.mock.patch.object().

• bpo-35998: Fix a race condition in test_asyncio.test_start_tls_server_1(). Previously, there was a race condition between the test main() function which replaces the protocol and the test ServerProto protocol which sends ANSWER once it gets HELLO. Now, only the test main() function is responsible to send data, ServerProto no longer sends data.

Build

• bpo-37404: asyncio now raises TyperError when calling incompatible methods with an ssl.SSLSocket socket. Patch by Ido Michael.

• bpo-38809: On Windows, build scripts will now recognize and use python.exe from an active virtual env.

• bpo-38684: Fix _hashlib build when Blake2 is disabled, but OpenSSL supports it.

• bpo-37415: Fix stdatomic.h header check for ICC compiler: the ICC implementation lacks atomic_uintptr_t type which is needed by Python.

Windows

• bpo-33125: Add support for building and releasing Windows ARM64 packages.

• bpo-38589: Fixes HTML Help shortcut when Windows is not installed to C drive

• bpo-38453: Ensure ntpath.realpath() correctly resolves relative paths.

• bpo-38519: Restores the internal C headers that were missing from the nuget.org and Microsoft Store packages.

• bpo-38492: Remove pythonw.exe dependency on the Microsoft C++ runtime.

macOS

• bpo-37931: Fixed a crash on OSX dynamic builds that occurred when re-initializing the posix module after a Py_Finalize if the environment had changed since the previous import posix. Patch by Benoît Hudson.

IDLE

• bpo-38862: ‘Strip Trailing Whitespace’ on the Format menu removes extra newlines at the end of non-shell files.

• bpo-26353: Stop adding newline when saving an IDLE shell window.

• bpo-38636: Fix IDLE Format menu tab toggle and file indent width. These functions (default shortcuts Alt-T and Alt-U) were mistakenly disabled in 3.7.5 and 3.8.0.

• bpo-4630: Add an option to toggle IDLE’s cursor blink for shell, editor, and output windows. See Settings, General, Window Preferences, Cursor Blink. Patch by Zackery Spytz.

• bpo-38598: Do not try to compile IDLE shell or output windows

C API

• bpo-37633: Re-export some function compatibility wrappers for macros in pythonrun.h.

• bpo-38540: Fixed possible leak in PyArg_Parse() and similar functions for format units "es#" and "et#" when the macro PY_SSIZE_T_CLEAN is not defined.

• bpo-36389: The _PyObject_CheckConsistency() function is now also available in release mode. For example, it can be used to debug a crash in the visit_decref() function of the GC.

Python 3.8.0 final

Release date: 2019-10-14

Core and Builtins

• bpo-38469: Fixed a bug where the scope of named expressions was not being resolved correctly in the presence of the global keyword. Patch by Pablo Galindo.

• bpo-38379: When cyclic garbage collection (gc) runs finalizers that resurrect unreachable objects, the current gc run ends, without collecting any cyclic trash. However, the statistics reported by collect() and get_stats() claimed that all cyclic trash found was collected, and that the resurrected objects were collected. Changed the stats to report that none were collected.

Library

• bpo-38449: Revert PR 15522, which introduces a regression in mimetypes.guess_type() due to improper handling of filenames as urls.

• bpo-38431: Fix __repr__ method for dataclasses.InitVar to support typing objects, patch by Samuel Colvin.

• bpo-38109: Add missing stat.S_IFDOOR, stat.S_IFPORT, stat.S_IFWHT, stat.S_ISDOOR(), stat.S_ISPORT(), and stat.S_ISWHT() values to the Python implementation of stat.

• bpo-38405: Nested subclasses of typing.NamedTuple are now pickleable.

• bpo-38332: Prevent KeyError thrown by _encoded_words.decode() when given an encoded-word with invalid content-type encoding from propagating all the way to email.message.get().

• bpo-38341: Add smtplib.SMTPNotSupportedError to the smtplib exported names.

• bpo-13153: OS native encoding is now used for converting between Python strings and Tcl objects. This allows to display, copy and paste to clipboard emoji and other non-BMP characters. Converting strings from Tcl to Python and back now never fails (except MemoryError).

Documentation

• bpo-38294: Add list of no-longer-escaped chars to re.escape documentation.

Tests

• bpo-37531: On timeout, regrtest no longer attempts to call popen.communicate() again: it can hang until all child processes using stdout and stderr pipes completes. Kill the worker process and ignores its output. Change also the faulthandler timeout of the main process from 1 minute to 5 minutes, for Python slowest buildbots.

Windows

• bpo-38344: Fix error message in activate.bat.

• bpo-38359: Ensures pyw.exe launcher reads correct registry key.

• bpo-38355: Fixes ntpath.realpath failing on sys.executable.

IDLE

• bpo-36698: IDLE no longer fails when write non-encodable characters to stderr. It now escapes them with a backslash, as the regular Python interpreter. Added the errors field to the standard streams.

Tools/Demos

• bpo-38118: Update Valgrind suppression file to ignore a false alarm in PyUnicode_Decode() when using GCC builtin strcmp().

• bpo-38347: pathfix.py: Assume all files that end on ‘.py’ are Python scripts when working recursively.

C API

• bpo-38395: Fix a crash in weakref.proxy objects due to incorrect lifetime management when calling some associated methods that may delete the last reference to object being referenced by the proxy. Patch by Pablo Galindo.

Python 3.8.0 release candidate 1

Release date: 2019-10-01

Security

• bpo-38243: Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML. (Contributed by Dong-hee Na in bpo-38243.)

• bpo-38174: Update vendorized expat library version to 2.2.8, which resolves CVE-2019-15903.

• bpo-37764: Fixes email._header_value_parser.get_unstructured going into an infinite loop for a specific case in which the email header does not have trailing whitespace, and the case in which it contains an invalid encoded word. Patch by Ashwin Ramaswami.

Core and Builtins

• bpo-38006: Fix a bug due to the interaction of weakrefs and the cyclic garbage collector. We must clear any weakrefs in garbage in order to prevent their callbacks from executing and causing a crash.

• bpo-38317: Fix warnings options priority: PyConfig.warnoptions has the highest priority, as stated in the PEP 587.

• bpo-36871: Improve error handling for the assert_has_calls and assert_has_awaits methods of mocks. Fixed a bug where any errors encountered while binding the expected calls to the mock’s spec were silently swallowed, leading to misleading error output.

• bpo-38236: Python now dumps path configuration if it fails to import the Python codecs of the filesystem and stdio encodings.

• bpo-38013: Allow to call async_generator_athrow().throw(...) even for non-started async generator helper. It fixes annoying warning at the end of asyncio.run() call.

• bpo-38124: Fix an off-by-one error in PyState_AddModule that could cause out-of-bounds memory access.

• bpo-38005: Fixed comparing and creating of InterpreterID and ChannelID.

• bpo-37994: Fixed silencing arbitrary errors if an attribute lookup fails in several sites. Only AttributeError should be silenced.

• bpo-37990: Fix elapsed time in gc stats was not printed correctly. This bug was a regression in 3.8b4.

• bpo-37966: The implementation of is_normalized() has been greatly sped up on strings that aren’t normalized, by implementing the full normalization-quick-check algorithm from the Unicode standard.

• bpo-20490: Improve import error message for partially initialized module on circular from imports - by Anthony Sottile.

• bpo-37409: Ensure explicit relative imports from interactive sessions and scripts (having no parent package) always raise ImportError, rather than treating the current module as the package. Patch by Ben Lewis.

• bpo-37619: When adding a wrapper descriptor from one class to a different class (for example, setting __add__ = str.__add__ on an int subclass), an exception is correctly raised when the operator is called.

• bpo-30773: Prohibit parallel running of aclose() / asend() / athrow(). Fix ag_running to reflect the actual running status of the AG.

Library

• bpo-38319: sendfile() used in socket and shutil modules was raising OverflowError for files >= 2GiB on 32-bit architectures. (patch by Giampaolo Rodola)

• bpo-38242: Revert the new asyncio Streams API

• bpo-38019: Correctly handle pause/resume reading of closed asyncio unix pipe.

• bpo-38163: Child mocks will now detect their type as either synchronous or asynchronous, asynchronous child mocks will be AsyncMocks and synchronous child mocks will be either MagicMock or Mock (depending on their parent type).

• bpo-38161: Removes _AwaitEvent from AsyncMock.

• bpo-38216: Allow the rare code that wants to send invalid http requests from the http.client library a way to do so. The fixes for bpo-30458 led to breakage for some projects that were relying on this ability to test their own behavior in the face of bad requests.

• bpo-38108: Any synchronous magic methods on an AsyncMock now return a MagicMock. Any asynchronous magic methods on a MagicMock now return an AsyncMock.

• bpo-38248: asyncio: Fix inconsistent immediate Task cancellation

• bpo-38237: The arguments for the builtin pow function are more descriptive. They can now also be passed in as keywords.

• bpo-38191: Constructors of NamedTuple and TypedDict types now accept arbitrary keyword argument names, including “cls”, “self”, “typename”, “_typename”, “fields” and “_fields”. Passing positional arguments by keyword is deprecated.

• bpo-38185: Fixed case-insensitive string comparison in sqlite3.Row indexing.

• bpo-38136: Changes AsyncMock call count and await count to be two different counters. Now await count only counts when a coroutine has been awaited, not when it has been called, and vice-versa. Update the documentation around this.

• bpo-37828: Fix default mock name in unittest.mock.Mock.assert_called() exceptions. Patch by Abraham Toriz Cruz.

• bpo-38175: Fix a memory leak in comparison of sqlite3.Row objects.

• bpo-33936: _hashlib no longer calls obsolete OpenSSL initialization function with OpenSSL 1.1.0+.

• bpo-34706: Preserve subclassing in inspect.Signature.from_callable.

• bpo-38153: Names of hashing algorithms frome OpenSSL are now normalized to follow Python’s naming conventions. For example OpenSSL uses sha3-512 instead of sha3_512 or blake2b512 instead of blake2b.

• bpo-38115: Fix a bug in dis.findlinestarts() where it would return invalid bytecode offsets. Document that a code object’s co_lnotab can contain invalid bytecode offsets.

• bpo-38148: Add slots to asyncio transport classes, which can reduce memory usage.

• bpo-36991: Fixes a potential incorrect AttributeError exception escaping ZipFile.extract() in some unsupported input error situations.

• bpo-38134: Remove obsolete copy of PBKDF2_HMAC_fast. All supported OpenSSL versions contain a fast implementation.

• bpo-38132: The OpenSSL hashlib wrapper uses a simpler implementation. Several Macros and pointless caches are gone. The hash name now comes from OpenSSL’s EVP. The algorithm name stays the same, except it is now always lower case.

• bpo-38008: Fix parent class check in protocols to correctly identify the module that provides a builtin protocol, instead of assuming they all come from the collections.abc module

• bpo-37405: Fixed regression bug for socket.getsockname() for non-CAN_ISOTP AF_CAN address family sockets by returning a 1-tuple instead of string.

• bpo-38121: Update parameter names on functions in importlib.metadata matching the changes in the 0.22 release of importlib_metadata.

• bpo-38110: The os.closewalk() implementation now uses the libc fdwalk() API on platforms where it is available.

• bpo-38093: Fixes AsyncMock so it doesn’t crash when used with AsyncContextManagers or AsyncIterators.

• bpo-37488: Add warning to datetime.utctimetuple(), datetime.utcnow() and datetime.utcfromtimestamp() .

• bpo-38086: Update importlib.metadata with changes from importlib_metadata 0.21.

• bpo-37251: Remove __code__ check in AsyncMock that incorrectly evaluated function specs as async objects but failed to evaluate classes with __await__ but no __code__ attribute defined as async objects.

• bpo-38037: Fix reference counters in the signal module.

• bpo-38066: Hide internal asyncio.Stream methods: feed_eof(), feed_data(), set_exception() and set_transport().

• bpo-38059: inspect.py now uses sys.exit() instead of exit()

• bpo-37953: In typing, improved the __hash__ and __eq__ methods for ForwardReferences.

• bpo-38026: Fixed inspect.getattr_static() used isinstance while it should avoid dynamic lookup.

• bpo-38010: In importlib.metadata sync with importlib_metadata 0.20, clarifying behavior of files() and fixing issue where only one requirement was returned for requires() on dist-info packages.

• bpo-38006: weakref.WeakValueDictionary defines a local remove() function used as callback for weak references. This function was created with a closure. Modify the implementation to avoid the closure.

• bpo-34410: Fixed a crash in the tee() iterator when re-enter it. RuntimeError is now raised in this case.

• bpo-37140: Fix a ctypes regression of Python 3.8. When a ctypes.Structure is passed by copy to a function, ctypes internals created a temporary object which had the side effect of calling the structure finalizer (__del__) twice. The Python semantics requires a finalizer to be called exactly once. Fix ctypes internals to no longer call the finalizer twice.

• bpo-37972: Subscripts to the unittest.mock.call objects now receive the same chaining mechanism as any other custom attributes, so that the following usage no longer raises a TypeError:

  call().foo().__getitem__(‘bar’)

  Patch by blhsing

• bpo-22347: Update mimetypes.guess_type to allow proper parsing of URLs with only a host name. Patch by Dong-hee Na.

• bpo-37885: venv: Don’t generate unset variable warning on deactivate.

• bpo-37785: Fix xgettext warnings in argparse.

• bpo-11953: Completing WSA* error codes in socket.

• bpo-37424: Fixes a possible hang when using a timeout on subprocess.run() while capturing output. If the child process spawned its own children or otherwise connected its stdout or stderr handles with another process, we could hang after the timeout was reached and our child was killed when attempting to read final output from the pipes.

• bpo-37212: unittest.mock.call() now preserves the order of keyword arguments in repr output. Patch by Karthikeyan Singaravelan.

• bpo-37305: Add .webmanifest -> application/manifest+json to list of recognized file types and content type headers

• bpo-21872: Fix lzma: module decompresses data incompletely. When decompressing a FORMAT_ALONE format file, and it doesn’t have the end marker, sometimes the last one to dozens bytes can’t be output. Patch by Ma Lin.

• bpo-37206: Default values which cannot be represented as Python objects no longer improperly represented as None in function signatures.

• bpo-12144: Ensure cookies with expires attribute are handled in CookieJar.make_cookies().

• bpo-31163: pathlib.Path instance’s rename and replace methods now return the new Path instance.

• bpo-25068: urllib.request.ProxyHandler now lowercases the keys of the passed dictionary.

• bpo-21315: Email headers containing RFC2047 encoded words are parsed despite the missing whitespace, and a defect registered. Also missing trailing whitespace after encoded words is now registered as a defect.

• bpo-36250: Ignore ValueError from signal with interaction in non-main thread.

• bpo-35168: shlex.shlex.punctuation_chars is now a read-only property.

• bpo-20504: Fixes a bug in cgi module when a multipart/form-data request has no Content-Length header.

• bpo-34519: Add additional aliases for HP Roman 8. Patch by Michael Osipov.

Documentation

• bpo-26868: Fix example usage of PyModule_AddObject() to properly handle errors.

• bpo-36797: Fix a dead link in the distutils API Reference.

• bpo-37977: Warn more strongly and clearly about pickle insecurity

• bpo-37937: Mention frame.f_trace in sys.settrace() docs.

• bpo-36260: Add decompression pitfalls to zipfile module documentation.

• bpo-36960: Restructured the datetime docs in the interest of making them more user-friendly and improving readability. Patch by Brad Solomon.

• bpo-23460: The documentation for decimal string formatting using the :g specifier has been updated to reflect the correct exponential notation cutoff point. Original patch contributed by Tuomas Suutari.

• bpo-35803: Document and test that tempfile functions may accept a path-like object for the dir argument. Patch by Anthony Sottile.

• bpo-33944: Added a note about the intended use of code in .pth files.

• bpo-34293: Fix the Doc/Makefile regarding PAPER environment variable and PDF builds

Tests

• bpo-38239: Fix test_gdb for Link Time Optimization (LTO) builds.

• bpo-38275: test_ssl now handles disabled TLS/SSL versions better. OpenSSL’s crypto policy and run-time settings are recognized and tests for disabled versions are skipped. Tests also accept more TLS minimum_versions for platforms that override OpenSSL’s default with strict settings.

• bpo-38271: The private keys for test_ssl were encrypted with 3DES in traditional PKCS#5 format. 3DES and the digest algorithm of PKCS#5 are blocked by some strict crypto policies. Use PKCS#8 format with AES256 encryption instead.

• bpo-38270: test.support now has a helper function to check for availibility of a hash digest function. Several tests are refactored avoid MD5 and use SHA256 instead. Other tests are marked to use MD5 and skipped when MD5 is disabled.

• bpo-37123: Multiprocessing test test_mymanager() now also expects -SIGTERM, not only exitcode 0. BaseManager._finalize_manager() sends SIGTERM to the manager process if it takes longer than 1 second to stop, which happens on slow buildbots.

• bpo-38212: Multiprocessing tests: increase test_queue_feeder_donot_stop_onexc() timeout from 1 to 60 seconds.

• bpo-38117: Test with OpenSSL 1.1.1d

• bpo-37531: Enhance regrtest multiprocess timeout: write a message when killing a worker process, catch popen.kill() and popen.wait() exceptions, put a timeout on the second call to popen.communicate().

• bpo-37876: Add tests for ROT-13 codec.

• bpo-37252: Fix assertions in test_close and test_events_mask_overflow devpoll tests.

• bpo-34001: Make test_ssl pass with LibreSSL. LibreSSL handles minimum and maximum TLS version differently than OpenSSL.

• bpo-36919: Make test_source_encoding.test_issue2301 implementation independent. The test will work now for both CPython and IronPython.

• bpo-34596: Fallback to a default reason when unittest.skip() is uncalled. Patch by Naitree Zhu.

Build

• bpo-38301: In Solaris family, we must be sure to use -D_REENTRANT. Patch by Jesús Cea Avión.

• bpo-36210: Update optional extension module detection for AIX. ossaudiodev and spwd are not applicable for AIX, and are no longer reported as missing. 3rd-party packaging of ncurses (with ASIS support) conflicts with officially supported AIX curses library, so configure AIX to use libcurses.a. However, skip trying to build _curses_panel.

  patch by M Felt

• bpo-36002: Locate llvm-profdata and llvm-ar binaries using AC_PATH_TOOL rather than AC_PATH_TARGET_TOOL.

• bpo-37936: The .gitignore file systematically keeps “rooted”, with a non-trailing slash, all the rules that are meant to apply to files in a specific place in the repo. Previously, when the intended file to ignore happened to be at the root of the repo, we’d most often accidentally also ignore files and directories with the same name anywhere in the tree.

• bpo-37936: The .gitignore file no longer applies to any files that are in fact tracked in the Git repository. Patch by Greg Price.

Windows

• bpo-38117: Update bundled OpenSSL to 1.1.1d

• bpo-38092: Reduce overhead when using multiprocessing in a Windows virtual environment.

• bpo-38133: Allow py.exe launcher to locate installations from the Microsoft Store and improve display of active virtual environments.

• bpo-38114: The pip.ini is no longer included in the Nuget package.

• bpo-36634: os.cpu_count() now returns active processors rather than maximum processors.

• bpo-36634: venv activate.bat now works when the existing variables contain double quote characters.

• bpo-38081: Prevent error calling os.path.realpath() on 'NUL'.

• bpo-38087: Fix case sensitivity in test_pathlib and test_ntpath.

• bpo-38088: Fixes distutils not finding vcruntime140.dll with only the v142 toolset installed.

• bpo-37283: Ensure command-line and unattend.xml setting override previously detected states in Windows installer.

• bpo-38030: Fixes os.stat() failing for block devices on Windows

• bpo-38020: Fixes potential crash when calling os.readlink() (or indirectly through realpath()) on a file that is not a supported link.

• bpo-37705: Improve the implementation of winerror_to_errno().

• bpo-37702: Fix memory leak on Windows in creating an SSLContext object or running urllib.request.urlopen(’https://…’).

• bpo-37445: Include the FORMAT_MESSAGE_IGNORE_INSERTS flag in FormatMessageW() calls.

• bpo-37380: Don’t collect unfinished processes with subprocess._active on Windows to cleanup later. Patch by Ruslan Kuprieiev.

• bpo-32587: Make winreg.REG_MULTI_SZ support zero-length strings.

macOS

• bpo-38117: Updated OpenSSL to 1.1.1d in macOS installer.

• bpo-38089: Move Azure Pipelines to latest VM versions and make macOS tests optional

IDLE

• bpo-35379: When exiting IDLE, catch any AttributeError. One happens when EditorWindow.close is called twice. Printing a traceback, when IDLE is run from a terminal, is useless and annoying.

• bpo-38183: To avoid problems, test_idle ignores the user config directory. It no longer tries to create or access .idlerc or any files within. Users must run IDLE to discover problems with saving settings.

• bpo-38077: IDLE no longer adds ‘argv’ to the user namespace when initializing it. This bug only affected 3.7.4 and 3.8.0b2 to 3.8.0b4.

• bpo-38041: Shell restart lines now fill the window width, always start with ‘=’, and avoid wrapping unnecessarily. The line will still wrap if the included file name is long relative to the width.

• bpo-35771: To avoid occasional spurious test_idle failures on slower machines, increase the hover_delay in test_tooltip.

• bpo-37902: Add mousewheel scrolling for IDLE module, path, and stack browsers. Patch by George Zhang.

Tools/Demos

• bpo-37803: pdb’s --help and --version long options now work.

• bpo-37064: Add option -k to pathscript.py script: preserve shebang flags. Add option -a to pathscript.py script: add flags.

C API

• bpo-38234: Py_SetPath() now sets sys.executable to the program full path (Py_GetProgramFullPath()) rather than to the program name (Py_GetProgramName()).

• bpo-38234: Python ignored arguments passed to Py_SetPath(), Py_SetPythonHome() and Py_SetProgramName(): fix Python initialization to use specified arguments.

• bpo-38205: The Py_UNREACHABLE() macro now calls Py_FatalError().

• bpo-37879: Fix subtype_dealloc to suppress the type decref when the base type is a C heap type

Python 3.8.0 beta 4

Release date: 2019-08-29

Security

• bpo-34155: Fix parsing of invalid email addresses with more than one @ (e.g. a@b@c.com.) to not return the part before 2nd @ as valid email address. Patch by maxking & jpic.

Core and Builtins

• bpo-37947: Adjust correctly the recursion level in the symtable generation for named expressions. Patch by Pablo Galindo.

• bpo-37830: Fixed compilation of break and continue in the finally block when the corresponding try block contains return with a non-constant value.

• bpo-32912: Reverted bpo-32912: emitting SyntaxWarning instead of DeprecationWarning for invalid escape sequences in string and bytes literals.

• bpo-37757: PEP 572: As described in the PEP, assignment expressions now raise SyntaxError when their interaction with comprehension scoping results in an ambiguous target scope.

  The TargetScopeError subclass originally proposed by the PEP has been removed in favour of just raising regular syntax errors for the disallowed cases.

• bpo-36311: Decoding bytes objects larger than 2GiB is faster and no longer fails when a multibyte characters spans a chunk boundary.

• bpo-37433: Fix SyntaxError indicator printing too many spaces for multi-line strings - by Anthony Sottile.

• bpo-20523: pdb.Pdb supports ~/.pdbrc in Windows 7. Patch by Tim Hopper and Dan Lidral-Porter.

Library

• bpo-37834: Prevent shutil.rmtree exception when built on non-Windows system without fd system call support, like older versions of macOS.

• bpo-37965: Fix C compiler warning caused by distutils.ccompiler.CCompiler.has_function.

• bpo-37960: repr() of buffered and text streams now silences only expected exceptions when get the value of “name” and “mode” attributes.

• bpo-37951: Most features of the subprocess module now work again in subinterpreters. Only preexec_fn is restricted in subinterpreters.

• bpo-36205: Fix the rusage implementation of time.process_time() to correctly report the sum of the system and user CPU time.

• bpo-37950: Fix ast.dump() when call with incompletely initialized node.

• bpo-34679: Restores instantiation of Windows IOCP event loops from the non-main thread.

• bpo-36917: Add default implementation of the ast.NodeVisitor.visit_Constant() method which emits a deprecation warning and calls corresponding methody visit_Num(), visit_Str(), etc.

• bpo-37798: Update test_statistics.py to verify that the statistics module works well for both C and Python implementations. Patch by Dong-hee Na

• bpo-26589: Added a new status code to the http module: 451 UNAVAILABLE_FOR_LEGAL_REASONS

• bpo-37915: Fix a segmentation fault that appeared when comparing instances of datetime.timezone and datetime.tzinfo objects. Patch by Pablo Galindo.

• bpo-37868: Fix dataclasses.is_dataclass when given an instance that never raises AttributeError in __getattr__. That is, an object that returns something for __dataclass_fields__ even if it’s not a dataclass.

• bpo-37811: Fix socket module’s socket.connect(address) function being unable to establish connection in case of interrupted system call. The problem was observed on all OSes which poll(2) system call can take only non-negative integers and -1 as a timeout value.

• bpo-21131: Fix faulthandler.register(chain=True) stack. faulthandler now allocates a dedicated stack of SIGSTKSZ*2 bytes, instead of just SIGSTKSZ bytes. Calling the previous signal handler in faulthandler signal handler uses more than SIGSTKSZ bytes of stack memory on some platforms.

• bpo-37798: Add C fastpath for statistics.NormalDist.inv_cdf() Patch by Dong-hee Na

• bpo-37819: Add Fraction.as_integer_ratio() to match the corresponding methods in bool, int, float, and decimal.

• bpo-37810: Fix difflib ? hint in diff output when dealing with tabs. Patch by Anthony Sottile.

• bpo-37772: In zipfile.Path, when adding implicit dirs, ensure that ancestral directories are added and that duplicates are excluded.

• bpo-28292: Mark calendar.py helper functions as being private. The follows PEP 8 guidance to maintain the style conventions in the module and it addresses a known case of user confusion.

• bpo-18049: Add definition of THREAD_STACK_SIZE for AIX in Python/thread_pthread.h The default thread stacksize caused crashes with the default recursion limit Patch by M Felt

• bpo-37738: Fix the implementation of curses addch(str, color_pair): pass the color pair to setcchar(), instead of always passing 0 as the color pair.

• bpo-37723: Fix performance regression on regular expression parsing with huge character sets. Patch by Yann Vaginay.

• bpo-32178: Fix IndexError in email package when trying to parse invalid address fields starting with :.

• bpo-37685: Fixed comparisons of datetime.timedelta and datetime.timezone.

• bpo-37695: Correct curses.unget_wch() error message. Patch by Anthony Sottile.

• bpo-37354: Make Activate.ps1 Powershell script static to allow for signing it.

• bpo-37664: Update wheels bundled with ensurepip (pip 19.2.3 and setuptools 41.2.0)

• bpo-37642: Allowed the pure Python implementation of datetime.timezone to represent sub-minute offsets close to minimum and maximum boundaries, specifically in the ranges (23:59, 24:00) and (-23:59, 24:00). Patch by Ngalim Siregar

• bpo-16970: Adding a value error when an invalid value in passed to nargs Patch by Robert Leenders

• bpo-37587: Make json.loads faster for long strings. (Patch by Marco Paolini)

• bpo-18378: Recognize “UTF-8” as a valid value for LC_CTYPE in locale._parse_localename.

• bpo-37531: “python3 -m test -jN –timeout=TIMEOUT” now kills a worker process if it runs longer than TIMEOUT seconds.

• bpo-37482: Fix serialization of display name in originator or destination address fields with both encoded words and special chars.

• bpo-37372: Fix error unpickling datetime.time objects from Python 2 with seconds>=24. Patch by Justin Blanchard.

• bpo-37085: Add the optional Linux SocketCAN Broadcast Manager constants, used as flags to configure the BCM behaviour, in the socket module. Patch by Karl Ding.

• bpo-36871: Ensure method signature is used instead of constructor signature of a class while asserting mock object against method calls. Patch by Karthikeyan Singaravelan.

• bpo-36582: Fix UserString.encode() to correctly return bytes rather than a UserString instance.

• bpo-34775: Division handling of PurePath now returns NotImplemented instead of raising a TypeError when passed something other than an instance of str or PurePath. Patch by Roger Aiudi.

Documentation

• bpo-37979: Added a link to dateutil.parser.isoparse in the datetime.fromisoformat documentation. Patch by Paul Ganssle

• bpo-37759: Beginning edits to Whatsnew 3.8

• bpo-37726: Stop recommending getopt in the tutorial for command line argument parsing and promote argparse.

• bpo-37256: Fix wording of arguments for Request in urllib.request

• bpo-37004: In the documentation for difflib, a note was added explicitly warning that the results of SequenceMatcher’s ratio method may depend on the order of the input strings.

• bpo-36487: Make C-API docs clear about what the “main” interpreter is.

Tests

• bpo-37805: Add tests for json.dump(…, skipkeys=True). Patch by Dong-hee Na.

Build

• bpo-37707: Mark some individual tests to skip when –pgo is used. The tests marked increase the PGO task time significantly and likely don’t help improve optimization of the final executable.

Windows

• bpo-37549: os.dup() no longer fails for standard streams on Windows 7.

• bpo-1311: The nul file on Windows now returns True from exists() and a valid result from os.stat() with S_IFCHR set.

• bpo-9949: Enable support for following symlinks in os.realpath().

• bpo-37834: Treat all name surrogate reparse points on Windows in os.lstat() and other reparse points as regular files in os.stat().

• bpo-36266: Add the module name in the formatted error message when DLL load fail happens during module import in _PyImport_FindSharedFuncptrWindows(). Patch by Srinivas Nyayapati.

• bpo-25172: Trying to import the crypt module on Windows will result in an ImportError with a message explaining that the module isn’t supported on Windows. On other platforms, if the underlying _crypt module is not available, the ImportError will include a message explaining the problem.

• bpo-37778: Fixes the icons used for file associations to the Microsoft Store package.

• bpo-37734: Fix use of registry values to launch Python from Microsoft Store app.

• bpo-28269: Replace use of strcasecmp() for the system function _stricmp(). Patch by Minmin Gong.

macOS

• bpo-18049: Increase the default stack size of threads from 5MB to 16MB on macOS, to match the stack size of the main thread. This avoids crashes on deep recursion in threads.

IDLE

• bpo-37824: Properly handle user input warnings in IDLE shell. Cease turning SyntaxWarnings into SyntaxErrors.

• bpo-37929: IDLE Settings dialog now closes properly when there is no shell window.

• bpo-37849: Fixed completions list appearing too high or low when shown above the current line.

• bpo-36419: Refactor IDLE autocomplete and improve testing.

• bpo-37748: Reorder the Run menu. Put the most common choice, Run Module, at the top.

Tools/Demos

• bpo-37942: Improve ArgumentClinic converter for floats.

• bpo-37034: Argument Clinic now uses the argument name on errors with keyword-only argument instead of their position. Patch contributed by Rémi Lapeyre.

C API

• bpo-36763: Options added by PySys_AddXOption() are now handled the same way than PyConfig.xoptions and command line -X options.

• bpo-37926: Fix a crash in PySys_SetArgvEx(0, NULL, 0).

Python 3.8.0 beta 3

Release date: 2019-07-29

Security

• bpo-37461: Fix an infinite loop when parsing specially crafted email headers. Patch by Abhilash Raj.

Core and Builtins

• bpo-37593: Swap the positions of the posonlyargs and args parameters in the constructor of ast.parameters nodes.

• bpo-36974: Implemented separate vectorcall functions for every calling convention of builtin functions and methods. This improves performance for calls.

Library

• bpo-37697: Syncronize importlib.metadata with importlib_metadata 0.19, improving handling of EGG-INFO files and fixing a crash when entry point names contained colons.

• bpo-37691: Let math.dist() accept coordinates as sequences (or iterables) rather than just tuples.

• bpo-37664: Update wheels bundled with ensurepip (pip 19.2.1 and setuptools 41.0.1)

• bpo-36324: Make internal attributes for statistics.NormalDist() private.

• bpo-37491: Fix IndexError when parsing email headers with unexpectedly ending bare-quoted string value. Patch by Abhilash Raj.

• bpo-37579: Return NotImplemented in Python implementation of __eq__ for timedelta and time when the other object being compared is not of the same type to match C implementation. Patch by Karthikeyan Singaravelan.

• bpo-21478: Record calls to parent when autospecced object is attached to a mock using unittest.mock.attach_mock(). Patch by Karthikeyan Singaravelan.

• bpo-37502: pickle.loads() no longer raises TypeError when the buffers argument is set to None

• bpo-37520: Correct behavior for zipfile.Path.parent when the path object identifies a subdirectory.

• bpo-18374: Fix the .col_offset attribute of nested ast.BinOp instances which had a too large value in some situations.

• bpo-37421: Fix multiprocessing.util.get_temp_dir() finalizer: clear also the ‘tempdir’ configuration of the current process, so next call to get_temp_dir() will create a new temporary directory, rather than reusing the removed temporary directory.

• bpo-37481: The distutils bdist_wininst command is deprecated in Python 3.8, use bdist_wheel (wheel packages) instead.

• bpo-26967: An ArgumentParser with allow_abbrev=False no longer disables grouping of short flags, such as -vv, but only disables abbreviation of long flags as documented. Patch by Zac Hatfield-Dodds.

• bpo-37347: sqlite3.Connection.create_aggregate(), sqlite3.Connection.create_function(), sqlite3.Connection.set_authorizer(), sqlite3.Connection.set_progress_handler() sqlite3.Connection.set_trace_callback() methods lead to segfaults if some of these methods are called twice with an equal object but not the same. Now callbacks are stored more carefully. Patch by Aleksandr Balezin.

• bpo-36564: Fix infinite loop in email header folding logic that would be triggered when an email policy’s max_line_length is not long enough to include the required markup and any values in the message. Patch by Paul Ganssle

Documentation

• bpo-32910: Remove implementation-specific behaviour of how venv’s Deactivate works.

• bpo-37284: Add a brief note to indicate that any new sys.implementation required attributes must go through the PEP process.

• bpo-30088: Documented that mailbox.Maildir constructor doesn’t attempt to verify the maildir folder layout correctness. Patch by Sviatoslav Sydorenko.

• bpo-37521: Fix importlib examples to insert any newly created modules via importlib.util.module_from_spec() immediately into sys.modules instead of after calling loader.exec_module().

  Thanks to Benjamin Mintz for finding the bug.

• bpo-37456: Slash (‘/’) is now part of syntax.

• bpo-37487: Fix PyList_GetItem index description to include 0.

• bpo-37149: Replace the dead link to the Tkinter 8.5 reference by John Shipman, New Mexico Tech, with a link to the archive.org copy.

• bpo-37478: Added possible exceptions to the description of os.chdir().

Tests

• bpo-37558: Fix test_shared_memory_cleaned_after_process_termination name handling

• bpo-37526: Add test.support.catch_threading_exception(): context manager catching threading.Thread exception using threading.excepthook().

• bpo-37421: test_concurrent_futures now explicitly stops the ForkServer instance if it’s running.

• bpo-37421: multiprocessing tests now stop the ForkServer instance if it’s running: close the “alive” file descriptor to ask the server to stop and then remove its UNIX address.

Build

• bpo-36044: Reduce the number of unit tests run for the PGO generation task. This speeds up the task by a factor of about 15x. Running the full unit test suite is slow. This change may result in a slightly less optimized build since not as many code branches will be executed. If you are willing to wait for the much slower build, the old behavior can be restored using ‘./configure [..] PROFILE_TASK=”-m test –pgo-extended”’. We make no guarantees as to which PGO task set produces a faster build. Users who care should run their own relevant benchmarks as results can depend on the environment, workload, and compiler tool chain.

Windows

• bpo-37672: Switch Windows Store package’s pip to use bundled pip.ini instead of PIP_USER variable.

IDLE

• bpo-37692: Improve highlight config sample with example shell interaction and better labels for shell elements.

• bpo-37628: Settings dialog no longer expands with font size.

• bpo-37627: Initialize the Customize Run dialog with the command line arguments most recently entered before. The user can optionally edit before submitting them.

• bpo-33610: Fix code context not showing the correct context when first toggled on.

• bpo-37530: Optimize code context to reduce unneeded background activity. Font and highlight changes now occur along with text changes instead of after a random delay.

• bpo-27452: Cleanup config.py by inlining RemoveFile and simplifying the handling of file in CreateConfigHandlers.

• bpo-17535: Add optional line numbers for IDLE editor windows. Windows open without line numbers unless set otherwise in the General tab of the configuration dialog.

• bpo-26806: To compensate for stack frames added by IDLE and avoid possible problems with low recursion limits, add 30 to limits in the user code execution process. Subtract 30 when reporting recursion limits to make this addition mostly transparent.

• bpo-36390: Gather Format menu functions into format.py. Combine paragraph.py, rstrip.py, and format methods from editor.py.

Tools/Demos

• bpo-37675: 2to3 now works when run from a zipped standard library.

Python 3.8.0 beta 2

Release date: 2019-07-04

Security

• bpo-37363: Adds audit events for the range of supported run commands (see Command line and environment).

• bpo-37463: ssl.match_hostname() no longer accepts IPv4 addresses with additional text after the address and only quad-dotted notation without trailing whitespaces. Some inet_aton() implementations ignore whitespace and all data after whitespace, e.g. ‘127.0.0.1 whatever’.

• bpo-37363: Adds audit events for ensurepip, ftplib, glob, imaplib, nntplib, pdb, poplib, shutil, smtplib, sqlite3, subprocess, telnetlib, tempfile and webbrowser, as well as os.listdir(), os.scandir() and breakpoint().

• bpo-37364: io.open_code() is now used when reading .pth files.

• bpo-34631: Updated OpenSSL to 1.1.1c in Windows installer

Core and Builtins

• bpo-37467: Fix sys.excepthook() and PyErr_Display() if a filename is a bytes string. For example, for a SyntaxError exception where the filename attribute is a bytes string.

• bpo-37417: bytearray.extend() now correctly handles errors that arise during iteration. Patch by Brandt Bucher.

  <