[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements (original) (raw)

R. David Murray rdmurray at bitdance.com
Mon Mar 24 15:21:50 CET 2014

• Previous message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
• Next message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 23 Mar 2014 21:31:12 -0400, Barry Warsaw <barry at python.org> wrote:

On Mar 24, 2014, at 11:38 AM, Chris Angelico wrote:

>Easy. Just set PYTHONPATH to import the SEPython [1] lib ahead of the >standard lib. Then you can go back to the standard 2.7 (if you want >to) by unsetting PYTHONPATH. > >It'd be nice if SEPython defined a modified sys.version for clarity, >but otherwise, it'd be a vanilla Python 2.7. That's certainly more in the direction of what I think is an appropriate upstream solution. The thing is, there isn't one single "what's best for users" resolution. There are many, many competing requirements and I think it will be difficult to satisfy everyone. I'm particularly sensitive to complaints of unexpected changes between micro releases.

In the context of that last sentence, I think it is worth noting the stance that 3.4 is taking[*] about security backward compatibility, since many people may not be aware of it (we only just finished making the documentation clear).

If you use create_default_context() to get your context object, you get a "best practices" level of security that may change between maintenance releases. If you want things to not change between maintenance releases, you create your own context object and set its controls appropriately.

In other words, the programmer opts in to maintenance release security improvements by using create_default_context. I presume that whatever comes out of this PEP will use the same approach.

Note: thanks again to Christian Heimes and Antoine Pitrou for this work. Without Christian's work, I think we wouldn't even be having this conversation. Antoine's earlier work laid essential groundwork, but by itself I'm not sure that would have been enough to result in calls for a backport. It took both of them, with some help from others as well.

--David

[*] I actually don't know if this was discussed on python-dev previously because I've got a backlog of messages I'm not caught up on. If it hasn't been, then doubly good to mention it now, since the first 3.4 maintenance release hasn't happened yet :)

• Previous message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
• Next message: [Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list