[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them) (original) (raw)
Victor Stinner vstinner at redhat.com
Fri Sep 7 04:27:49 EDT 2018
- Previous message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Next message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Le ven. 7 sept. 2018 à 10:23, Christian Heimes <christian at python.org> a écrit :
Back in the days, I didn't push hard for the necessary fixes, because all fixes were breaking changes. After all I'd have to disable some features that people may have relied upon. The XML security stuff was my first major security topic for Python, even before SipHash24. I was more concerned not to break people's software than to keep the majority of users safe. I have changed my opinion over the last six, seven years.
I understood that Python 2.7.9 which required a valid TLS certificate annoyed many customers. So I don't think that it would be a good idea to enforce XML security in a minor Python release. But would it make sense to make XML stricter in Python 3.8 and add an option to opt-out? Or do we need a cycle of 1.5 year (Python 3.8) with a warning, and change the default in the next cycle?
The topic is on the agenda for the core dev sprint.
Great :-) Thanks are moving on.
Victor
- Previous message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Next message (by thread): [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]