Provide offical installers for security releases

[zby1234]

BPO	43338
Nosy	@terryjreedy, @ned-deily, @zooba

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2021-03-05.21:51:55.629>
created_at = <Date 2021-02-27.10:07:25.010>
labels = ['type-feature', 'expert-installation', '3.10']
title = 'Provide offical installers for security releases'
updated_at = <Date 2021-03-05.21:51:55.626>
user = 'https://bugs.python.org/zby1234'

bugs.python.org fields:

activity = <Date 2021-03-05.21:51:55.626>
actor = 'terry.reedy'
assignee = 'none'
closed = True
closed_date = <Date 2021-03-05.21:51:55.629>
closer = 'terry.reedy'
components = ['Installation']
creation = <Date 2021-02-27.10:07:25.010>
creator = 'zby1234'
dependencies = []
files = []
hgrepos = []
issue_num = 43338
keywords = []
message_count = 2.0
messages = ['387774', '388166']
nosy_count = 4.0
nosy_names = ['terry.reedy', 'ned.deily', 'steve.dower', 'zby1234']
pr_nums = []
priority = 'normal'
resolution = 'rejected'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue43338'
versions = ['Python 3.10']

[zby1234]

Hello,

Thanks for developing Python! I noticed there is no offical installers for security releases of old python version. This looks a little strange to me. As a python user & developer, it's often to stay with some old version of python, because some package's version constraints, or we need to support old platforms.

The offical installer is the most trusted installaion source, but it's not provided with security releases. Lacking of installers makes installaion extreme difficult (impossible for end users), and there's no (free) way for a individual to create a code signed copy of python. Non-code-signed binarys will lead a lot of problem on recent operating systems.

The choice of providing no offical installer leads a lot of user stay with lastest bug-fix release and not upgrading to latest security releases. Individuals who want to stay with a old version must either use lastest bug-fix release or risk running a non-code-signed python binary. The former lacks recent python security fix, and the latter is vulnerable to binary modifications such as virus infection.

To sum up, if offical installer is provided, it will make life a lot easier for users who want to stay with old python version. It would be appreciated if you could accept my feature request.

Thank you!

[terryjreedy]

This tracker is only concerned with the PSF/python.org Windows and macOS installers, not the *nix distributions, so I assume that one the former is your concern.

For those, your request has been made and rejected multiple times before. A request on the tracker won't change this policy decision. Briefly, we consider other actions by the volunteers who make those installers to be more valuable. Making more installers means not doing something else, like fixing bugs or keeping up with OS changes or enhancing something.

A little more: 1. Many -- maybe most -- security fixes are only or mainly of concern to server maintainers. They mostly run *nix or compile their own binaries or pay someone to do so. 2. Running older Python versions instead of newer versions is a user choice, not ours. 3. Non-PSF distributors of Python for Windows and Mac are free to recompile their binaries whenever they want to.

For Windows, I don't know what your concern is about 'signed' binaries. Anyone can install the Visual Studio Community Edition and Git and clone and compile their own binary. This is at least as secure as a downloaded binary. If more instructions are needed for how to use that binary for production use, that would be a different issue. (And perhaps git should be told to git-ignore additions to site-packages.)