[Python-Dev] PEP 466 (round 2): Network security enhancements for Python 2.7 (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Tue Mar 25 09:11:49 CET 2014

On 25 March 2014 09:04, Donald Stufft <donald at stufft.io> wrote:

On Mar 24, 2014, at 5:38 PM, Nick Coghlan <ncoghlan at gmail.com> wrote: While I totally agree that it would be incredibly awesome if more companies put dedicated time into developing and maintaining CPython I don't think pushing all the blame on to them is accurate.

The attitude towards security issues and backwards compatibility has a somewhat equal share in the causes of the aging security infrastructure of the 2.x line. Now this PEP, if accepted, does a lot to resolve the largest offenders of this policy (and there has been some signs lately that perhaps going forward this will be better) but I think it is not doing anyone a favor if we just point fingers over there and claim the fault lies with someone else doing or not doing something. I don't want to disparage anyone or anything of that like, mostly to say that while of course increased resources from corporate users would help the situation immensely but that additionally there is a reasonably sized contingent of influential members who still want to treat Python as a hobbyist project and not a critical piece of the infrastructure of the Internet as a whole. I don't want to get help from downstream users, especially on important but "boring" or hard issues such as security, and then have them feel shutdown and unable to actually get anything done as others who have attempted to resolve some of these issues in the past have had happen to them.

I actually agree with this (hence why I wrote the PEP in the first place), I just became really, really, really, annoyed with certain organisations over the course of writing the PEP drafts and that is reflected in the tone of the latest draft. However, in deliberately not naming names, I now realise I've left it open to other organisations thinking "Does he mean us? How is this our fault?". For clarification: if an org is guessing whether or not I was referring to them in particular while drafting the PEP, then no, I'm not. The specific organisations concerned are in absolutely no doubt as to the fact I'm genuinely angry with them.

That said, while it certainly made me feel better at the time, I agree some of the current phrasing is not actually helpful in resolving the situation amicably for the benefit of all concerned, so I'll revise the offending sections of the PEP :)

Regards, Nick.

-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

More information about the Python-Dev mailing list