[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Sat Mar 22 23:33:35 CET 2014

On 23 March 2014 08:16, "Martin v. Löwis" <martin at v.loewis.de> wrote:

Am 22.03.14 22:17, schrieb Cory Benfield:

I am 100%, overwhelmingly in favour of this. Without this PEP, Python 2.7 is a security liability, any it becomes nothing short of irresponsible to use Python 2.7 for any form of networking code that hits the open internet. Agreed (although this might be a slight overstatement if taken literally). However, the right consequence should be to use Python 3.4 instead.

The PEP does try to address this point in the Motivation & Rationale sections:

================= Requiring that latent defects in an application's Unicode correctness be addressed in order to migrate to Python 3 is not a reasonable alternative recommendation, especially given the likely existence of legacy code that lacks the kind of automated regression test suite needed to help support a migration from Python 2 to Python 3. The key point of this PEP is that those situations affect more people than just the developers and users of the affected application: their existence becomes something that developers of secure networked services need to take into account as part of their security design. By making it more feasible to enhance the security of the Python 2 series, we can help contribute to the evolution of a more secure internet for all concerned.

Hard to maintain legacy software is a fact of life, and way too much of it is exposed to the public internet. This PEP is about doing what we can to mitigate the damage caused both by other people's mistakes, and also the inherent challenges of migrating from the error prone POSIX text model to something more reasonable.

I don't think its reasonable to expect us to do this without support from the corporate users that caused the problem in the first place (by continuing to deploy older versions of Python without investing adequately in their upkeep), so I'd encourage everyone employed by a commercial user of Python to remind their management chains of the risks of failing to invest development time in any upstream dependencies that they expect to keep pace with the dynamic nature of the internet.

Regards, Nick.

-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

More information about the Python-Dev mailing list