[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7 (original) (raw)

Cory Benfield cory at lukasa.co.uk
Thu Jun 1 10:09:41 EDT 2017

On 1 Jun 2017, at 14:53, Antoine Pitrou <solipsis at pitrou.net> wrote:

On Thu, 1 Jun 2017 14:37:55 +0100 Cory Benfield <cory at lukasa.co.uk> wrote:

And indeed it doesn't. Unless the target user base for pip is widely different than Python's, it shouldn't cause you any problems either. Maybe not now, but I think it’s fair to say that it did, right? Until Python 3.2 and perhaps 3.3, yes. Since 3.4, definitely not. For example asyncio quickly grew a sizable community around it, even though it had established Python 2-compatible competitors.

Sure, but “until 3.2” covers a long enough time to take us from now to “deprecation of Python 2”. Given that the Requests team is 4 people, unlike python-dev’s much larger number, I suspect we’d have at least as much pain proportionally as Python did. I’m not wild about signing up for that.

Then the PEP is really wrong or misleading in the way it states its own motivations.

How so? In the sentence "There are plans afoot to look at moving Requests to a more event-loop-y model, and doing so basically mandates a MemoryBIO", and also in the general feeling it gives that the backport is motivated by security reasons primarily.

Ok, let’s address those together.

There are security reasons to do the backport, but they are “it helps us build a pathway to PEP 543”. Right now there are a lot of people interested in seeing PEP 543 happen, but vastly fewer in a position to do the work. I am, but only if I can actually use it for the things that are in my job. If I can’t, then PEP 543 becomes an “evenings and weekends” activity for me at best, and something I have to drop entirely at worst.

Adopting PEP 543 would be a security benefit, so while this PEP itself is not directly in and of itself a security benefit, it builds a pathway to something that is.

As to the plans to move Requests to a more event loop-y model, I think that it does stand in the way of this, but only insomuch as, again, we want our event loopy model to be as bug-free as possible. But I can concede that rewording on that point would be valuable.

However, it’s my understanding that even if I did that rewording, you’d still be against it. Is that correct?

Cory

More information about the Python-Dev mailing list