The upstream policy regarding what goes into 3.6 is very, very close to RHEL8. (They do fix more bugs, because they get more bug reports.)
Taking advantage of that, and aligning RHEL8's Python with upstream 3.6, would make our work easier in the future.

I went through all the commits between 3.6.7 and 3.6.8, and skimmed the changed code. I was less thorough on patches by Red Hatters (Victor Stinner, Christian Heimes, Charris Stratakis) -- I trust they are bugfixes only, and I'll verify with them directly when they get back from (sometimes extended) end-of-year PTO.

There are many doc- and test-only changes. There are also many correctness fixes, often found by static analyzers like Coverity & clang memory sanitizer. (Of course, many of those don't have known reproducers.)

Three can be considered new features -- CPython upstream does have exceptions to the "no fixes rule".
Should we open BZs for them and hunt for exception flags?
These are:

* https://bugs.python.org/issue34866 CGI DOS vulnerability via long post list
Security related -- an extra argument is added to cgi.FieldStorage, which can be used to mitigate DOS attacks in popular Web frameworks (pyramid, pylons, webapp2, and flask)

* https://bugs.python.org/issue31715 Add mimetype for extension .mjs
Possibly the most controversial – worth reading the upstream discussion to see upstream views on their "bug fixes only" policy. It got in as a special exception.

* https://bugs.python.org/issue34966 Pydoc: better support of method aliases
Changes behavior of pydoc, the tool for viewing built-in help. Extremely unlikely to affect production code.


Other changes worth noting:

* https://bugs.python.org/issue35226 mock.call equality surprisingly broken
This might be considered borderline between bugfix and new feature, and includes more refactoring than I'd like in a bugfix release.

* https://bugs.python.org/issue34574 OrderedDict iterators are exhausted during pickling
Changes behavior of pickling OrderedDict iterators, but is definitely a fix of incorrect behavior. The old behavior made the affected iterator objects useless, which makes it very unlikely that code relied on it.

* https://bugs.python.org/issue35214 Get the test suite passing with clang Memory Sanitizer enabled
Many changes fixing issues found by a static analyzer (clang MS). Includes some refactoring. Patch comes from Google.

* https://bugs.python.org/issue33029 Invalid function cast warnings with gcc 8 for getter and setter functions
* https://bugs.python.org/issue33012 Invalid function cast warnings with gcc 8 for METH_NOARGS
Many changes fixing issues found by a static analyzer (new GCC warning). The changes themselves are trivial, but there's a lot of them.

* https://bugs.python.org/issue34864 In Idle, Mac tabs make editor status line disappear.
Should be a macOS-only fix, but I couldn't verify that from a quick glance. Still, it's in IDLE, the basic code editor/graphical REPL. Extremely unlikely to affect production code.

* https://bugs.python.org/issue22005 datetime.__setstate__ fails decoding python2 pickle
The fix is longer than I'd like in a maintenance release, given that the bug it fixes is not that severe. OTOH, our customers will be happy for every python2/python3 compatibility wrinkle we can iron out.

Created attachment 1517968 [details]
Notes on changes between Python 3.6.7 and 3.6.8

Here are my notes, for reference.