[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements (original) (raw)
Barry Warsaw barry at python.org
Mon Mar 24 00:24:29 CET 2014
- Previous message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
- Next message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mar 23, 2014, at 01:01 AM, Antoine Pitrou wrote:
But enforcing "secure by default" can by construction break backwards compatibility, which is the very reason we are so conservative with such changes.
Also, many developers who are stuck on Python 2 have already evaluated, designed, and implemented workarounds for security issues in ancient stdlib code. You have to be very careful that any changes in some future 2.7 stdlib secure-by-default release doesn't break those workarounds. That's a "trick question" too because you can't know all of them.
I didn't read the PEP until just now, so I never saw the first draft. As written it still makes me uncomfortable because as Antoine says, lots of changes could be classified as "security related" and we definitely don't want this PEP to be used as a wedge to make a wink-wink-nudge-nudge release of Python 2.8.
I think the key point for consumers of Python has to be predictability.
-Barry
- Previous message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
- Next message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]