[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance) (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Tue Nov 17 08:44:50 EST 2015

On 17 November 2015 at 20:33, Victor Stinner <victor.stinner at gmail.com> wrote:

2015-11-17 1:00 GMT+01:00 Guido van Rossum <guido at python.org>:

Hm, making Christian the BDFL-delegate would mean two out of three authors and the BDFL-delegate all working for Red Hat, which clearly has a stake (and IIUC has already committed to this approach ahead of PEP approval). SO then it would look like this is just rubber-stamping Red Hat's internal decision process (if it's a process -- sounds more like an accident :-). Can we try to get a vote from maintainers of the Python2/3 packages of other Linux distributions? Debian, Ubuntu, OpenSUSE, etc.?

I know Oracle were interested based on a discussion between them and a member of Red Hat's product security team about it on oss-security, but their devs never followed up on it upstream (even after an explicit suggestion that they do so), so I'm interpreting that as willingness to go along with whatever happens in RHEL.

For Debian, Ubuntu and SUSE, their original determinations for the relevant CVE were "too intrusive to backport", so folks currently need to upgrade to newer versions of those distros to get the improved default behaviour:

If having an opt-in backwards-compatible-by-default approach available (albeit as a PEP 466+476+493 patch set in the RHEL/CentOS system Python 2.7.5 package) prompts other distro security teams to reconsider those initial assessments, that would be a nice outcome, but it isn't my own main priority (so Guido makes a good point in favouring finding a non-Red-Hatter willing to act as BDFL-Delegate)

Regards, Nick.

-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia

More information about the Python-Dev mailing list