From 4cdf57d6dc3b238269b2a4ff205ff6d93fe6e481 Mon Sep 17 00:00:00 2001
From: Jamie Strandboge <jamie@influxdata.com>
Date: Fri, 13 Jun 2025 13:01:30 -0600
Subject: [PATCH] fix(py): update to python 3.13.5-20250612 for security fixes
 (#26518)

* fix(py): update to python 3.13.5-20250612 for security fixes

3.13.4 fixed various CVEs. Upgrade to 3.13.5 per upstream expedited
release to fix problems with 3.13.4.

* https://www.python.org/downloads/release/python-3133/
* https://www.python.org/downloads/release/python-3134/
* https://www.python.org/downloads/release/python-3135/

* fix(py): use equivalent x86_64-pc-windows-msvc instead of -shared variant

Per https://github.com/astral-sh/python-build-standalone/releases/tag/20250311,
"Windows artifacts with the -shared suffix will no longer be published:
this variant became the default in 20240415 and duplicate archives have
been published under the -shared suffix for backwards compatibility. Use
the equivalent archives without the suffix.

* chore: update README_processing_engine.md for latest versions
---
 .circleci/config.yml                          |  4 ++--
 .../scripts/fetch-python-standalone.bash      | 10 +++++-----
 README_processing_engine.md                   | 20 +++++++++----------
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 79d67cfd16..7cdc9d0628 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -103,8 +103,8 @@ parameters:
 
 # Consistent environment setup for Python Build Standalone
 pbs_config: &pbs_config
-  PBS_DATE: "20250212"
-  PBS_VERSION: "3.13.2"
+  PBS_DATE: "20250612"
+  PBS_VERSION: "3.13.5"
 
 # Consistent Cargo environment configuration
 cargo_env: &cargo_env
diff --git a/.circleci/scripts/fetch-python-standalone.bash b/.circleci/scripts/fetch-python-standalone.bash
index 03f2408b0c..5a5f166887 100755
--- a/.circleci/scripts/fetch-python-standalone.bash
+++ b/.circleci/scripts/fetch-python-standalone.bash
@@ -33,7 +33,7 @@ readonly PBS_TOP_DIR="/tmp/workspace"
 # - aarch64-apple-darwin
 # - aarch64-unknown-linux-gnu
 # - x86_64-unknown-linux-gnu
-# - x86_64-pc-windows-msvc-shared
+# - x86_64-pc-windows-msvc
 #
 # Note: musl builds of python-build-standablone currently (as of 2025-02-04)
 # have limitations:
@@ -47,13 +47,13 @@ readonly PBS_TOP_DIR="/tmp/workspace"
 # - https://github.com/astral-sh/python-build-standalone/blob/main/docs/running.rst
 # - https://edu.chainguard.dev/chainguard/chainguard-images/about/images-compiled-programs/glibc-vs-musl/#python-builds
 # - https://pythonspeed.com/articles/alpine-docker-python/
-readonly TARGETS="aarch64-apple-darwin aarch64-unknown-linux-gnu x86_64-unknown-linux-gnu x86_64-pc-windows-msvc-shared"
+readonly TARGETS="aarch64-apple-darwin aarch64-unknown-linux-gnu x86_64-unknown-linux-gnu x86_64-pc-windows-msvc"
 
 fetch() {
     target="$1"
     suffix="${2}"
     if [ "${suffix}" = "full.tar.zst" ]; then
-        if [ "${target}" = "x86_64-pc-windows-msvc-shared" ]; then
+        if [ "${target}" = "x86_64-pc-windows-msvc" ]; then
             suffix="pgo-${2}"
         else
             suffix="debug-${2}"
@@ -84,7 +84,7 @@ fetch() {
 
     echo "Unpacking ${binary} to '${DOWNLOAD_DIR}'"
     UNPACK_DIR="${DOWNLOAD_DIR}/${target}"
-    if [ "${target}" = "x86_64-pc-windows-msvc-shared" ]; then
+    if [ "${target}" = "x86_64-pc-windows-msvc" ]; then
         UNPACK_DIR="${DOWNLOAD_DIR}/x86_64-pc-windows-gnu"
     fi
     mkdir "${UNPACK_DIR}" 2>/dev/null || true
@@ -103,7 +103,7 @@ fetch() {
         echo "Creating ${UNPACK_DIR}/pyo3_config_file.txt"
         PYO3_CONFIG_FILE="${UNPACK_DIR}/pyo3_config_file.txt"
         PBS_DIR="${PBS_TOP_DIR}"/$(basename "${DOWNLOAD_DIR}")/$(basename "${UNPACK_DIR}")
-        if [ "${target}" = "x86_64-pc-windows-msvc-shared" ]; then
+        if [ "${target}" = "x86_64-pc-windows-msvc" ]; then
             cat > "${PYO3_CONFIG_FILE}" <<EOM
 implementation=CPython
 version=${PBS_MAJ_MIN}
diff --git a/README_processing_engine.md b/README_processing_engine.md
index f7bb617d17..230ac9a2c2 100644
--- a/README_processing_engine.md
+++ b/README_processing_engine.md
@@ -104,12 +104,12 @@ At a high level, the build process for Official builds consists of:
 
     ```
     implementation=CPython
-    version=3.11
+    version=3.13
     shared=true
     abi3=false
-    lib_name=python3.11
+    lib_name=python3.13
     lib_dir=/path/to/python-standalone/python/lib
-    executable=/path/to/python-standalone/python/bin/python3.11
+    executable=/path/to/python-standalone/python/bin/python3.13
     pointer_width=64
     build_flags=
     suppress_build_script_link_lines=false
@@ -191,18 +191,18 @@ Local development with python-build-standalone currently consists of:
 
 1. download python-build-standalone and unpack it somewhere
     * get from https://github.com/astral-sh/python-build-standalone/releases
-    * based on your host OS, choose one of `aarch64-apple-darwin-install_only_stripped.tar.gz`, `aarch64-unknown-linux-gnu-install_only_stripped.tar.gz`, `x86_64-pc-windows-msvc-shared-install_only_stripped.tar.gz`, `x86_64-unknown-linux-gnu-install_only_stripped.tar.gz`
-2. create `pyo3_config_file.txt` to match the unpacked dir and downloaded python version. Eg, if downloaded and unpacked a 3.11.x version to `/tmp/python`:
+    * based on your host OS, choose one of `aarch64-apple-darwin-install_only_stripped.tar.gz`, `aarch64-unknown-linux-gnu-install_only_stripped.tar.gz`, `x86_64-pc-windows-msvc-install_only_stripped.tar.gz`, `x86_64-unknown-linux-gnu-install_only_stripped.tar.gz`
+2. create `pyo3_config_file.txt` to match the unpacked dir and downloaded python version. Eg, if downloaded and unpacked a 3.13.x version to `/tmp/python`:
 
     ```
     $ cat ./pyo3_config_file.txt
     implementation=CPython
-    version=3.11
+    version=3.13
     shared=true
     abi3=false
-    lib_name=python3.11
+    lib_name=python3.13
     lib_dir=/tmp/python/lib
-    executable=/tmp/python/bin/python3.11
+    executable=/tmp/python/bin/python3.13
     pointer_width=64
     build_flags=
     suppress_build_script_link_lines=false
@@ -222,7 +222,7 @@ Local development with python-build-standalone currently consists of:
     $ patchelf --set-rpath '$ORIGIN/python/lib' ./target/<profile>/influxdb3
 
     # osx (be sure to match the libpython version with what you downloaded)
-    $ install_name_tool -change '/install/lib/libpython3.11.dylib' '@executable_path/python/lib/libpython3.11.dylib' ./target/<profile>/influxdb3
+    $ install_name_tool -change '/install/lib/libpython3.13.dylib' '@executable_path/python/lib/libpython3.13.dylib' ./target/<profile>/influxdb3
     ```
 
 5. Linux/OSX: put the python runtime in the expected location (XXX: may be
@@ -284,7 +284,7 @@ builds:
  * `aarch64-apple-darwin-install_only_stripped.tar.gz`
  * `aarch64-unknown-linux-gnu-install_only_stripped.tar.gz`
  * `x86_64-unknown-linux-gnu-install_only_stripped.tar.gz`
- * `x86_64-pc-windows-msvc-shared-install_only_stripped.tar.gz`
+ * `x86_64-pc-windows-msvc-install_only_stripped.tar.gz`
 
 
 ### How will InfluxData maintain the embedded interpreter?