From ba1e2b41b99f0541ef6771a27b79194c47966979 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Fri, 12 Jun 2026 14:12:13 -0500 Subject: [PATCH 1/2] Add section on security fixes, backports, backwards-incompatible fixes --- security/policy.rst | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/security/policy.rst b/security/policy.rst index d2e15f98a..bc782098a 100644 --- a/security/policy.rst +++ b/security/policy.rst @@ -142,6 +142,33 @@ Here's what to expect for how a vulnerability report will be handled: For more information about how the PSRT handles vulnerabilities, see :ref:`psrt-vulnerability-process`. +When are security fixes released or backported? +----------------------------------------------- + +Advisories and CVE records are published after a security fix is first merged. +The CVE record contains information about the patch and will be kept up-to-date +as the patch is backported and released to Python versions. + +According to :pep:`602`, Python versions receive five years of security updates +after the new Python version is released. However, these security updates +are not published according to a fixed schedule or as a result of any security +fix being available. The schedule for security updates is determined by +the Release Manager. Users are encouraged to apply patches themselves ahead +of patches being merged and released if necessary. + +Security fixes that only affect binary installers (such as macOS and Windows) +will not be published to Python release streams that are `source-only`_. + +Some security fixes may require introducing backwards-incompatible behavior +changes. In these circumstances, the Python Steering Council +will decide with the relevant Release Manager(s) whether to proceed +with introducing a backwards incompatible change to fix a security vulnerability +in a stable version. This may affect whether a security fix is backported +to all Python versions or enabled by default, see the CVE record for +more information. + +.. _source-only: https://devguide.python.org/developer-workflow/development-cycle/#security-branches + Code of conduct --------------- From 7520171c4a625016862b9ef1cd0bb06b735622dd Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Fri, 12 Jun 2026 14:32:18 -0500 Subject: [PATCH 2/2] Use a ref --- security/policy.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/security/policy.rst b/security/policy.rst index bc782098a..f4dccbb34 100644 --- a/security/policy.rst +++ b/security/policy.rst @@ -157,7 +157,8 @@ the Release Manager. Users are encouraged to apply patches themselves ahead of patches being merged and released if necessary. Security fixes that only affect binary installers (such as macOS and Windows) -will not be published to Python release streams that are `source-only`_. +will not be published to Python release streams that are +:ref:`source-only `. Some security fixes may require introducing backwards-incompatible behavior changes. In these circumstances, the Python Steering Council @@ -167,8 +168,6 @@ in a stable version. This may affect whether a security fix is backported to all Python versions or enabled by default, see the CVE record for more information. -.. _source-only: https://devguide.python.org/developer-workflow/development-cycle/#security-branches - Code of conduct ---------------