gh-146450: Normalise feature set of Android build script with other platform build scripts (#146451)
Allows for cleaning a subset of targets, customization of the download cache and
cross-build directories, and modifies the build command to allow 'all', 'build'
and 'hosts' targets.
gh-148022: Add threat model to remote debugging docs (#148024)
The remote debugging protocol has been generating spurious
vulnerability reports from automated scanners that pattern-match
on "remote access" and "memory operations" without understanding
the privilege model. This section documents the security boundaries
so reporters can self-triage before submitting.
The threat model clarifies three points: attaching requires the
same OS-level privileges as GDB (ptrace, task_for_pid, or
SeDebugPrivilege), crashes caused by reading corrupted target
process memory are not security issues, and a compromised target
process is out of scope. A subsection explains when operators
should use PYTHON_DISABLE_REMOTE_DEBUG for defence-in-depth.
Victor Stinner [Thu, 2 Apr 2026 11:55:34 +0000 (13:55 +0200)]
gh-147988: Initialize digits in long_alloc() in debug mode (#147989)
When Python is built in debug mode:
* long_alloc() now initializes digits with a pattern to detect usage of
uninitialized digits.
* _PyLong_CompactValue() now makes sure that the digit is zero when the
sign is zero.
* PyLongWriter_Finish() now raises SystemError if it detects uninitialized
digits
gh-146656: properly raise `NotImplementedError` instead of `NotImplemented` in `test_discover` (#146661)
Co-authored-by: AN Long <aisk@users.noreply.github.com> Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Filipe Laíns <filipe.lains@gmail.com>
Mark Shannon [Wed, 1 Apr 2026 16:15:13 +0000 (17:15 +0100)]
GH-126910: Make `_Py_get_machine_stack_pointer` return the stack pointer (#147945)
* Make _Py_get_machine_stack_pointer return the stack pointer (or close to it), not the frame pointer
* Make ``_Py_ReachedRecursionLimit`` inline again
* Remove ``_Py_MakeRecCheck`` relacing its use with ``_Py_ReachedRecursionLimit``
* Move stack swtiching check into ``_Py_CheckRecursiveCall``
gh-147944: Increase range of bytes_per_sep (GH-147946)
Accepted range for the bytes_per_sep argument of bytes.hex(),
bytearray.hex(), memoryview.hex(), and binascii.b2a_hex()
is now increased, so passing sys.maxsize and -sys.maxsize is now
valid.
gh-146431: Add the wrapcol and ignorechars parameters for more Base XX codec (GH-146434)
Add the wrapcol parameter to base64 functions b16encode(), b32encode(),
b32hexencode(), b85encode() and z85encode(), and binascii functions
b2a_base32() and b2a_base85().
Add the ignorechars parameter to base64 functions b16decode(), b32decode(),
b32hexdecode(), b85decode() and z85decode(), and binascii functions
a2b_hex(), unhexlify(), a2b_base32() and a2b_base85().
gh-143050: Correct PyLong_FromString() to use _PyLong_Negate() (#145901)
The long_from_string_base() might return a small integer, when the
_pylong.py is used to do conversion. Hence, we must be careful here to
not smash it "small int" bit by using the _PyLong_FlipSign().
Co-authored-by: Victor Stinner <vstinner@python.org>
Neko Asakura [Mon, 30 Mar 2026 16:42:24 +0000 (00:42 +0800)]
gh-144270: Make SubElement parent and tag positional-only (GH-144845)
The C accelerator implementations use PyArg_ParseTuple, which
inherently enforces positional-only parameters. The Python fallback
allowed these as keyword arguments, creating a behavioral mismatch.
Make the tag parameter of Element.__init__ and the parent and tag
parameters of SubElement positional-only to align with the C
accelerator.
ivonastojanovic [Mon, 30 Mar 2026 11:31:06 +0000 (12:31 +0100)]
gh-138122: Add differential flame graph (#145785)
Differential flame graphs compare two profiling runs and highlight where
performance has changed. This makes it easier to detect regressions
introduced by code changes and to verify that optimizations have the
intended effect.
The visualization renders the current profile with frame widths
representing current time consumption. Color is then applied to show the
difference relative to the baseline profile: red gradients indicate
regressions, while blue gradients indicate improvements.
Some call paths may disappear entirely between profiles. These are
referred to as elided stacks and occur when optimizations remove code
paths or when certain branches stop executing. When elided stacks are
present, an "Elided" toggle is displayed, allowing the user to switch
between the main differential view and a view showing only the removed
paths.
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
Sanyam Khurana [Mon, 30 Mar 2026 09:11:13 +0000 (05:11 -0400)]
gh-138577: Fix keyboard shortcuts in getpass with echo_char (#141597)
When using getpass.getpass(echo_char='*'), keyboard shortcuts like
Ctrl+U (kill line), Ctrl+W (erase word), and Ctrl+V (literal next)
now work correctly by reading the terminal's control character
settings and processing them in non-canonical mode.
Co-authored-by: Victor Stinner <vstinner@python.org> Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
Imgyu Kim [Fri, 27 Mar 2026 20:48:07 +0000 (05:48 +0900)]
gh-146310: Fix ensurepip to treat empty WHEEL_PKG_DIR as unset (#146357)
Path('') resolves to CWD, so an empty WHEEL_PKG_DIR string caused
ensurepip to search the current working directory for wheel files.
Add a truthiness check to treat empty strings the same as None.
Co-authored-by: Victor Stinner <vstinner@python.org>
projects / thirdparty / Python / cpython.git / log
