python311-3.11.14 vulnerable but no alternatives/updates

[MrBSD]

This is why administrators, moderators and developers should have zero tolerance for such ungrateful people. You guys are way too relaxed and tolerate way too much. Especially those that engage in discussions and trying to actually reason with them.

 

[dino1]

Just a note... there is lang/python315, not vulnerable according to 'pkg audit' test... no idea on compability, I just did it for a test.

 

[Charlie_]

lang/python315 was also created with mandree@ as the maintainer, not python@.

The maintainer has been changed to python@ by portmgr@.

ports - FreeBSD ports tree

cgit.freebsd.org

 

[Charlie_]

Regarding CVE-2025-47273 in py-setuptools.

Re: Fw: git: 680508df7b6a - main - security/vuxml: Add entry for (py-)setuptools CVE-2025-47273

As for this specific vulnerability, it is not exploitable to how we (ports) build
Python packages, since the affected mechanism is setuptools's own PyPI
fetching mechanism which we do not use (we have our own do-fetch via
fetch(1) et al).

In all, this vuxml entry was not added or reviewed by the python@ team, 
especially not for applicability to actual use cases.

 

[diizzy]

Multiple people have stepped in and offered help (including doing work) since things are progressing very slowly. Friction, lack of communication and organisational skills and gatekeeping between a committer and several other developers (within FreeBSD), ports committers and contributors (unfortunately) don't improve the situation.

Just an example of how fast PRs are processed, from the release of Python 3.13 (Oct 2024 according to https://www.python.org/downloads/ ) over a year passed before it landed in tree and patches have been available during that time.

Looking at git history "python@ team" or its members haven't initially committed a single VuXML entry for the past two years so and there have been CVEs during that time (for those who want to know).

 

[T-Aoki]

One of the example of show-stopper for bumping default python can be seen at Comment 21 of PR 274671, precisely, the part below.

because of one package that upstream declared not compatible with this version

Broken backward compatibilities makes bumps harder and time consuming.
It matters worst for languages having too huge amount of dependants like python. And this is why I hate python as a programming language and don't want to learn it.