The backwards compatibility argument only applies to Python 2 maintenance releases (where dreid indicated an intention to request backporting the change), and there I'm quite happy to take the position of "use requests, Twisted or Python 3.5+ to get HTTPS done right".

">

(original) (raw)


On 3 Sep 2014 18:28, "Cory Benfield" <cory@lukasa.co.uk> wrote:

> This is definitely true, and this change is both. The only question
\> that matters is whether we believe we're doing users a service by
\> breaking their code. I'd argue, along with Glyph, Alex and Donald,
\> that we are. I've been on the losing side of this debate a number of
\> times though, and I expect I will be again.

The default stdlib behaviour will change in 3.5, I don't think anyone is disputing that. While I earlier said that should depend on the sslcustomize PEP, I now think they should be made orthogonal so the SSL customisation PEP can focus on its potential for \*increasing\* security in properly configured environments rather than deliberately decreasing it after upgrading to Python 3.5 in improperly configured ones.

The backwards compatibility argument only applies to Python 2 maintenance releases (where dreid indicated an intention to request backporting the change), and there I'm quite happy to take the position of "use requests, Twisted or Python 3.5+ to get HTTPS done right".

There are a variety of reasons not to use the Python 2 stdlib for modern networking, and making better tools more readily accessible to Python 2 users by backporting ensurepip is my preferred answer.

Regards,
Nick.