python311-3.11.14 vulnerable but no alternatives/updates

[MrBSD]

This is why administrators, moderators and developers should have zero tolerance for such ungrateful people. You guys are way too relaxed and tolerate way too much. Especially those that engage in discussions and trying to actually reason with them.

 

[dino1]

Just a note... there is lang/python315, not vulnerable according to 'pkg audit' test... no idea on compability, I just did it for a test.

 

[Charlie_]

lang/python315 was also created with mandree@ as the maintainer, not python@.

The maintainer has been changed to python@ by portmgr@.

ports - FreeBSD ports tree

cgit.freebsd.org

 

[Charlie_]

Regarding CVE-2025-47273 in py-setuptools.

Re: Fw: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273

As for this specific vulnerability, it is not exploitable to how we (ports) build
Python packages, since the affected mechanism is setuptools's own PyPI
fetching mechanism which we do not use (we have our own do-fetch via
fetch(1) et al).

In all, this vuxml entry was not added or reviewed by the python@ team, 
especially not for applicability to actual use cases.

 

[diizzy]

Multiple people have stepped in and offered help (including doing work) since things are progressing very slowly. Friction, lack of communication and organisational skills and gatekeeping between a committer and several other developers (within FreeBSD), ports committers and contributors (unfortunately) don't improve the situation.

Just an example of how fast PRs are processed, from the release of Python 3.13 (Oct 2024 according to https://www.python.org/downloads/ ) over a year passed before it landed in tree and patches have been available during that time.

Looking at git history "python@ team" or its members haven't initially committed a single VuXML entry for the past two years so and there have been CVEs during that time (for those who want to know).

 

[T-Aoki]

One of the example of show-stopper for bumping default python can be seen at Comment 21 of PR 274671, precisely, the part below.

because of one package that upstream declared not compatible with this version

Broken backward compatibilities makes bumps harder and time consuming.
It matters worst for languages having too huge amount of dependants like python. And this is why I hate python as a programming language and don't want to learn it.

 

[Charlie_]

There might be some progress.

285957 – lang/python312 as default python

bugs.freebsd.org

So, see with Vishwin, Warner, Kyle and me during the BSDCan: It seems that, like
bapt said, we should re-run an exprun and it should be good to upgrade this port. 
Could we prioritise this re-run ?

 

[T-Aoki]

There might be some progress.

285957 – lang/python312 as default python

bugs.freebsd.org

So, see with Vishwin, Warner, Kyle and me during the BSDCan: It seems that, like
bapt said, we should re-run an exprun and it should be good to upgrade this port.
Could we prioritise this re-run ?

Coming July (and remainder of June) would be the good timing for the exp-run, as release engineering for 14.5 starts on August.

 

[Charlie_]

New failures logs.

285957 – lang/python312 as default python

bugs.freebsd.org

These are the remaining problematic failures from last time.

japanese/mozc-server : 15 skipped
devel/pyside2@py312 : 8 skipped
devel/py-yappi@py312 : 6 skipped
audio/aubio : 5 skipped

 

[T-Aoki]

New failures logs.

285957 – lang/python312 as default python

bugs.freebsd.org

These are the remaining problematic failures from last time.

japanese/mozc-server : 15 skipped
devel/pyside2@py312 : 8 skipped
devel/py-yappi@py312 : 6 skipped
audio/aubio : 5 skipped

The case for japanese/mozc-server looks ninja related (crashed in *.py).

Not tried on py312 environment, so possibly I'm overlooking something important, but mozc would switch to bazel builds (defaulted to bazel9) if PR 295074 by Ken DEGUCHI is accepted and lands. But some python scripts seem to be used at least for merging dictionaries, thus, this can still fail.

 

[Charlie_]

mozc would switch to bazel builds (defaulted to bazel9) if PR 295074 by Ken DEGUCHI is accepted and lands.

Simply updating Mozc would require the decision to drop support for i386.
Depending on the committer, Mozc might maintain two ports, gyp and bazel,
until i386 support ends, similar to pkgsrc.

 

[T-Aoki]

Simply updating Mozc would require the decision to drop support for i386.
Depending on the committer, Mozc might maintain two ports, gyp and bazel,
until i386 support ends, similar to pkgsrc.

As i386 is already Tier2 on 14.x and dropped supports at 15.0 and later, and considering current mozc ports are NOT upgraded for quite a long time, I personally think to copy current Mozc-related ports as *-i386 ports and upgrade existing ones into new form which uses bazel.

Actually, *-i386 (or *-gyp) would be actually "frozen" as coexisting both in one port using FLAVOR would be unrealistic (see the patch at PR 295074 how large the differences are!). And I've heard from Ken via personal email that upstream dropped supports for gyp builds.

Frankly, I don't like Bazel, but the decision is on upstream.

 

[T-Aoki]

Default version of Python is now switched to 3.12 on main (aka latest) branch of ports tree.
Note that next quarterly 2026Q3 would be branched from main on early July, so I think it wouldn't be merged into 2026Q2.