Description
Bug report
Bug description:
The Python 3.9.22 release is missing the GPG signature files (note no "GPG" column in the table):
https://www.python.org/downloads/release/python-3922/
eg:
$ curl -I https://www.python.org/ftp/python/3.9.22/Python-3.9.22.tgz.asc
HTTP/2 404
x-clacks-overhead: GNU Terry Pratchett
content-type: text/html
server: nginx
via: 1.1 varnish, 1.1 varnish, 1.1 varnish
accept-ranges: bytes
age: 220
date: Tue, 08 Apr 2025 18:47:13 GMT
x-served-by: cache-lga21956-LGA, cache-lga21956-LGA, cache-lon4239-LON
x-cache: MISS, HIT, HIT
x-cache-hits: 0, 6, 0
x-timer: S1744138033.491958,VS0,VE1
strict-transport-security: max-age=63072000; includeSubDomains; preload
content-length: 146
This is causing our release process for the new binaries to fail, blocking releasing this security update to users:
https://github.com/heroku/heroku-buildpack-python/actions/runs/14341077254/job/40200481976#step:4:20
All of the other releases today have their GPG signatures, as does the last Python 3.9.x release (3.9.21).
This seems to be a repeat of #123807 and #127601 (see also #127602).
(We're aware of PEP-761 and have plans to switch to sigstore across the board closer to the Python 3.14 release - though PEP-761 says GPG signing is still supported for all releases prior to 3.14, so GPG is still a supported path for now.)
CPython versions tested on:
3.9
Operating systems tested on:
Linux