(original) (raw)
On Tuesday, January 16, 2018, Steve Dower <steve.dower@python.org> wrote:
From my perspective, we can’t keep an OpenSSL-like API and use Windows platform libraries (we could do a requests-like API easily enough, but even urllib3 is painfully low-level).
We have to continue shipping our own copy of OpenSSL on Windows. Nothing to negotiate here except whether OpenSSL releases should trigger a Python release, and I think that decision can stay with the RM.
Good luck solving macOS :o)
Cheers,
Steve
Top-posted from my Windows phone
From: Stephen J. Turnbull
Sent: Tuesday, January 16, 2018 17:45
To: Matt Billenstein
Cc: Christian Heimes; python-dev@python.org
Subject: Re: [Python-Dev] Python 3.7: Require OpenSSL >=1.0.2 / LibreSSL >=2.5.3
Matt Billenstein writes:
> In my mind it becomes easier to bundle deps in a binary installer
> across the board (Linux, OSX, Windows) rather than rely on whatever
> version the operating system provides.
Thing is, as Christian points out, TLS is a rapidly moving target.
Every Mac OS or iOS update seems to link to a dozen CVEs for TLS
support. We can go there if we have to, but it's often hard to go
back when vendor support catches up to something reasonable. I think
this is something for Ned and Christian and Steve to negotiate, since
they're the ones who are most aware of the tradeoffs and bear the
costs.
______________________________
_________________ Python-Dev mailing list
https://mail.python.org/
mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/
mailman/options/python-dev/ steve.dower%40python.org