From nobody Mon Jan 05 11:01:31 2026 X-Original-To: python@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dlBFB5Zhhz6LZ0P; Mon, 05 Jan 2026 11:01:34 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from unimail.uni-dortmund.de (mx1.hrz.uni-dortmund.de [129.217.128.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "unimail.tu-dortmund.de", Issuer "GEANT TLS RSA 1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dlBF96LY0z3Bpr; Mon, 05 Jan 2026 11:01:33 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="No valid SPF, No valid DKIM" header.from=freebsd.org (policy=none); spf=softfail (mx1.freebsd.org: 129.217.128.51 is neither permitted nor denied by domain of mandree@FreeBSD.org) smtp.mailfrom=mandree@FreeBSD.org Received: from [192.168.33.25] (p4fe526fb.dip0.t-ipconnect.de [79.229.38.251]) (authenticated bits=0) by unimail.uni-dortmund.de (8.18.1.16/8.18.1.16) with ESMTPSA id 605B1VZR021025 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Mon, 5 Jan 2026 12:01:31 +0100 (CET) Message-ID: <24c41b82-8304-4572-ae27-75932fcc8684@FreeBSD.org> Date: Mon, 5 Jan 2026 12:01:31 +0100 List-Id: FreeBSD-specific Python issues List-Archive: https://lists.freebsd.org/archives/freebsd-python List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-python@freebsd.org Sender: owner-freebsd-python@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Formal request to clean out Python branches ASAP from our ports tree (was: git: 66173037774d - main - lang/python31[012]: deprecate 2026-03-31) To: python@FreeBSD.org, portmgr , ports-secteam@FreeBSD.org, core References: <69599c9d.24bd5.4e91ed13@gitrepo.freebsd.org> From: Matthias Andree Content-Language: en-US, de-DE, en-GB Organization: FreeBSD ports Cc: Antoine Brodin , Daniel Engberg In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Bar: - X-Spamd-Result: default: False [-1.96 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.997]; ONCE_RECEIVED(0.20)[]; RCVD_IN_DNSWL_MED(-0.20)[129.217.128.51:from]; NEURAL_SPAM_MEDIUM(0.13)[0.134]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : No valid SPF, No valid DKIM,none]; RWL_MAILSPIKE_GOOD(-0.10)[129.217.128.51:from]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ORG_HEADER(0.00)[]; FREEFALL_USER(0.00)[mandree]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:680, ipnet:129.217.0.0/16, country:DE]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all:c]; MLMMJ_DEST(0.00)[ports-secteam@FreeBSD.org,python@FreeBSD.org]; FROM_EQ_ENVFROM(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_NA(0.00)[]; RCPT_COUNT_FIVE(0.00)[6]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4dlBF96LY0z3Bpr Am 03.01.26 um 23:50 schrieb Antoine Brodin: > On Sat, Jan 3, 2026 at 11:48 PM Matthias Andree wrote: >> The branch main has been updated by mandree: >> >> URL: https://cgit.FreeBSD.org/ports/commit/?id=66173037774d8648a59e30b424692ae80dbc20b3 >> >> commit 66173037774d8648a59e30b424692ae80dbc20b3 >> Author: Matthias Andree >> AuthorDate: 2026-01-03 22:39:35 +0000 >> Commit: Matthias Andree >> CommitDate: 2026-01-03 22:42:02 +0000 >> >> lang/python31[012]: deprecate 2026-03-31 >> >> Since the current Python upstream maintainers have not yet released >> security fix releases to match 3.14.2 and 3.13.11, meaning that we have >> about three unfixed security issues per 3.12/3.11/3.10 release, and the >> current FreeBSD python@ team is unwilling to take approved upstream >> patches individually (see PR), we need to expedite the removal of >> vulnerable versions and the transition to 3.13/3.14. Deprecate all >> "security support" releases of Python that are not in the bugfix phase. >> >> PR: 291609 > This is wrong, please revert. > 3.10 end of life is october 2026 > 3.11 end of life is october 2027 > 3.12 end of life is october 2028 Dear Antoine, dear python, portmgr, ports-secteam and core teams, Transparency: I am not on python@. 1. the upstream Python project has failed to deliver the security fix backports (of the fixes that appeared in 3.13 and 3.14 on 2025-12-05 patchlevel releases) to source tarball releases (which is the only deliverable they committed to) of 3.12.X, 3.11.Y, 3.10.Z. The "EOL" and "security branch" of Python are a sham and do not deliver on their promise. 2. we must therefore move the FreeBSD project to 3.13 or 3.14, both releases in "bugfix" support, as quickly as possible. REQUEST 3a. I formally request that either python@ or as backup portmgr@ or as backup core@ decides that we as a project distrust Python "security support" phase and the project's plan is to move to Python 3.13 or 3.14 as our default ports version as quickly as possible. It may be diligent to move to 3.13 first and to 3.14 in due time before 3.13 transitions from bugfix support to security support in prospectively October 2026. Ideally we switch the main ports branch to 3.14 in July or August so we have time to clean up fallout before we branch for  2026Q4. 3b. I am uncertain if ports-secteam@ has a say in this; but they already asked how we can avoid a situation where our default python version has been vulnerable to known security issues for an unduly long time already and remains unfixed today, and how to avoid that situation. My proposal is in 3a. 4. I formally request that either python@ or as backup portmgr@ or as backup core@ decides we need to reduce the number of Python branches in our tree, recognizing we cannot - as a project - maintain six branches of Python because we're understaffed. More observations: The extant python@ team of FreeBSD apparently has insufficient capacity to see to getting 3.11 and 3.10 maintained to the extent needed to get known security issues fixed, and this has so far left our default version 3.11.14 vulnerable to at least two, possibly three, known security issues (vishwin@ pulled three fixes into 3.12.12 as cherry-picks). The extant python@ team of FreeBSD has five Python releases at hand (being 3.11, 3.10, 3.12, 3.13, 3.13t) and I expect 3.13t to be somewhat more cumbersome than the others AFAICS. (I am the maintainer for the 3.14 port, and we do not have a 3.14t port. Footnote [1].) and we need to reduce that as quickly as possible. Footnotes: [1] If there is sufficient interest, I can set up a 3.14t port that I would *NOT WANT* integrated with the Python FLAVORS framework, but would keep separate as a minimal port that has venv and pip/wheel available so that people can build their virtual environments and install the necessary packages into a virtual environment for their project. I honestly don't think we can support all of ports/*/py-* for the "-t" variants of Python yet. -- Matthias Andree FreeBSD ports committer