[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them) (original) (raw)
Steve Dower steve.dower at python.org
Thu Sep 6 15:10:33 EDT 2018
- Previous message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Next message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 06Sep2018 0758, Victor Stinner wrote:
Are you volunteer to fix the XML modules?
If Christian is not able to keep maintaining the defused* packages, then I may take a look at this next week at the sprints. The built-in XML packages actually don't meet Microsoft's internal security requirements, so I have some business motivation to do it. Hopefully it doesn't turn me into the sole XML maintainer...
Ultimately, however, I think we're looking at technically incompatible design changes, which is why simply dropping in a "fix" for 3.4 would not work whereas adding new options (with more secure defaults) may work for 3.8.
So I'm agreed with nearly everyone else - bugs should stay open as long as we're interested in taking a fix, even if they've already been open for a long time. Our issue tracker is a backlog, not a plan, so there is no penalty for something sitting in there for a long time.
Cheers, Steve
- Previous message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Next message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]