[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Sun Mar 23 02:07:26 CET 2014

• Previous message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
• Next message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 23 March 2014 10:40, "Martin v. Löwis" <martin at v.loewis.de> wrote:

Am 23.03.14 01:15, schrieb Christian Heimes:

On 23.03.2014 01:01, Antoine Pitrou wrote:

This is a bit limited. There are remotely-exploitable security issues which are still open on the bug tracker; they are not cryptography-related, but that shouldn't make a difference.

(for example the dreaded XML issues have never been properly fixed, AFAICT) True, you may blame me for the situation. Only a handful of people were interested in the XML issues. I ran out of steam and moved to more sapid topics, too I don't think anybody wanted to assign blame (although I can sympathize with your urge to accept the blame). The fact is that this is a volunteer project: we do what we can and have fun doing.

Agreed completely - what I'm trying to do here is set up a plan that is at least acceptable to the upstream community, so we can then seek corporate support for actually putting it into practice (and I'd advise against us accepting any proposal to resolve the situation without receiving binding commitments to provide ongoing maintenance support - while I think this proposal is important, I'm under no illusions that actually implementing it will be fun, and it's not appropriate to ask people to do that in their own time).

However, we have a lot of downstream users and redistributors that have been taking CPython core development for granted, and by so doing, they have allowed a situation to develop that has some rather negative implications for the overall security of networked communications in the Python ecosystem. Since some of those same corporate redistributors are a key enabler allowing users to stay on those old releases that are no longer supported upstream, and others are likely to be being conservative in their own Python 3 migrations, I believe they share a lot of the responsibility for helping to resolve it, either by facilitating the migration to Python 3, helping to improve the networking security situation in Python 2, or, preferably, both.

Regards, Nick.

-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

• Previous message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
• Next message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list