[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements (original) (raw)

Skip Montanaro skip at pobox.com
Sun Mar 23 14:00:02 CET 2014

On Sat, Mar 22, 2014 at 11:31 PM, Terry Reedy <tjreedy at udel.edu> wrote:

The download page for the final 2.7.z maintenance release could say something like "We recommend that you move to the most recent Python 3 version if at all possible. If you cannot do that and you want to use Python to run a server on the public internet, we urge you to instead use the latest version of ServerPython 2.7.1s. This series is based on Python 2.7.z but has been and will continue to be enhanced with security features backported from Python 3."

I'm unclear how this would be better than just biting the bullet and making a 2.8 release. On the one hand, the 2.7.x number suggests (based on the existing release protocol) that it should be a drop-in replacement for earlier 2.7 micro releases. On the other hand, calling it something like "ServerPython" implies that it's not necessary for network client applications, when, if I read the PEP correctly, it most certainly would be.

If you create a 2.8 release which is restricted to just the topic areas of the PEP (that is, no other stuff backported from 3.x, no requirement to add other non-security bug fixes, etc), the incremented minor version number tells people that a bit of extra care is required to upgrade. The lack of change in the code base outside the security apparatus should make update pretty trivial for most every non-networked application. If the PEP or something like it is approved, the work is still going to have to be done, no matter what you call it. Why not be transparent about it?

Skip

More information about the Python-Dev mailing list