[Bug] - AL2023 Python3.11 is not at the current patch version

[danktec]

Describe the bug

AL2023 has Python 3.11.6

python3.11.x86_64                       3.11.6-1.amzn2023.0.3              @amazonlinux

But this is out of date and should be upgraded to 3.11.9

To Reproduce

sudo yum install python3.11
python3.11 --version

Expected behavior Latest version should be available in the @amazonlinux yum repo. Older versions carry bugs and vulnerabilities.

https://docs.aws.amazon.com/linux/al2023/release-notes/support-info-by-support-statement.html#support-info-by-support-statement-eol_python3.11

[danktec]

Any movement on this? (I've since moved to a distro with more Python version support)

[amimas]

Python 3.11.10 is now latest version, which is also not available yet. Unfortunately I can't easily move to a different distro. Would be nice to get some update on this issue or clarification on what's blocking it.

[danie-dejager]

Enterprise Linux distributions like AL2023 (Amazon Linux 2023) prioritize stability and long-term support over having the latest package versions. Here's why:

1. Stability and Reliability: Enterprise Linux is often used in production environments where stability is crucial. Newer package versions might introduce bugs or changes that can affect critical systems. To avoid this, enterprise distros typically stick to well-tested versions.

2. Long-Term Maintenance: The versions provided are carefully chosen by the distribution maintainers for their ability to be supported and maintained over the long term. This means that rather than constantly upgrading to the latest version, the maintainers backport security patches and critical updates to the supported versions, ensuring they stay secure and reliable without introducing instability.

3. Security Patching: When a new version of a package addresses a security vulnerability, the enterprise distro doesn't necessarily adopt the entire new version. Instead, maintainers review the specific security issues and apply the necessary fixes (backports) to the currently supported version, ensuring security without disrupting system stability.

This approach allows enterprise Linux users to benefit from stability, security, and long-term support, even though they may not always be using the latest versions of software packages.

Have you had a look at ActiveState Python if you want to use the latest?

[danktec]

@daniejstriata your comment seems too generalised and doesn't address the versioning nuances we are trying to resolve.

3.11.6 has known bugs, which have been fixed, without breaking compatibility or adding new features. This should be the trajectory for an Enterprise/LTS distro. If bugs and security issues are not addressed, it affects stability, security, usability and reliability.

The request is not asking for a major or minor version bump... It's asking for a bug to be addressed which is causing application usability issues.

[danie-dejager]

@danktec What specific bug needs to be addressed? Amazon maintains the python 3.11 package and like with most enterprise linux distros will back-patch from newer releases but the version will stay 3.11.6. Look at this advisory as example: https://alas.aws.amazon.com/AL2023/ALAS-2024-653.html

[danktec]

@daniejstriata

The specific bug which I am referring to occurs when using double quotes inside an f-string inside a dictionary key. It's resolved in 3.11.9...it's fixed somewhere between .6 and .9.

Amazon will provide security patches and support for this version of Python until the upstream end-of-life of Python 3.11, which is estimated to be in October 2027

https://docs.aws.amazon.com/linux/al2023/release-notes/support-info-by-support-statement.html#support-info-by-support-statement-eol_python3.11

[danie-dejager]

@danktec Can you update the subject to mention that rather than Python 3.11 not being the latest version? @stewartsmith Maybe that will make it easier for Amazon to track this issue for the actual problem.

[danktec]

@daniejstriata I don't know what the specific bugfix is... All i know is that the error i was encountering was solved somewhere between patch versions .6 --> .9. It's going to be the same story for everyone else on this thread...