<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><br><div><div>On Mar 24, 2014, at 5:38 PM, Nick Coghlan <<a href="mailto:ncoghlan@gmail.com">ncoghlan@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><p dir="ltr"><br>
On 25 Mar 2014 04:00, "Nikolaus Rath" <<a href="mailto:Nikolaus@rath.org">Nikolaus@rath.org</a>> wrote:<br>
><br>
> Nick Coghlan <<a href="mailto:ncoghlan@gmail.com">ncoghlan@gmail.com</a>> writes:<br>
> > Maintainability<br>
> > ---------------<br>
> ><br>
> > This policy does NOT represent a commitment by volunteer contributors to<br>
> > actually backport network security related changes from the Python 3 series<br>
> > to the Python 2 series. Rather, it is intended to send a clear signal to<br>
> > potential corporate contributors that the core development team are willing<br>
> > to review and merge corporate contributions that put this policy into<br>
> > effect.<br>
><br>
> As I understand, at least for smaller patches it is actually more work<br>
> to apply a patch than than to write it. With that in mind, are there<br>
> really sufficient volunteer resources available to review and merge<br>
> these corporate contributions if they come? The issue tracker certainly<br>
> does not lack issues with unreviewed and/or unapplied patches...</p><p dir="ltr">At least to start, this would likely be about seeking more upstream time for existing core contributors.</p><p dir="ltr">Beyond that, PEP 462 covers another way for corporate users to give back - if they want to build massive commercial enterprises on our software, they can help maintain and upgrade the infrastructure that makes it possible in the first place.</p><p dir="ltr">It's potentially worth reading some of the board candidate statements for this year, particularly mine and Van's:</p><p dir="ltr"><a href="https://wiki.python.org/moin/PythonSoftwareFoundation/BoardCandidates2014">https://wiki.python.org/moin/PythonSoftwareFoundation/BoardCandidates2014</a></p><p dir="ltr">The lack of paid development time for CPython compared to similarly critical projects like the Linux kernel and OpenStack is of grave concern to me personally from a volunteer burnout perspective, and it was a problem at least Van and I were already specifically wanting to address over the next year or so. Over the course of writing the PEP I realised that the situation with the Python 2 network security modules is a perfect example of the kinds of problems that the current lack of upstream engagement and investment can cause.</p><p dir="ltr">Cheers,<br>
Nick.<br></p><p dir="ltr">><br>
><br>
> Best,<br>
> -Nikolaus<br>
><br>
> --<br>
> Encrypted emails preferred.<br>
> PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C<br>
><br>
> »Time flies like an arrow, fruit flies like a Banana.«<br>
> _______________________________________________<br>
> Python-Dev mailing list<br>
> <a href="mailto:Python-Dev@python.org">Python-Dev@python.org</a><br>
> <a href="https://mail.python.org/mailman/listinfo/python-dev">https://mail.python.org/mailman/listinfo/python-dev</a><br>
> Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com">https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com</a><br>
</p>
_______________________________________________<br>Python-Dev mailing list<br><a href="mailto:Python-Dev@python.org">Python-Dev@python.org</a><br>https://mail.python.org/mailman/listinfo/python-dev<br>Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io<br></blockquote></div><br><div><div>I'd like to just go on a brief tangent here.</div><div><br></div><div>While I totally agree that it would be incredibly awesome if more companies put</div><div>dedicated time into developing and maintaining CPython I don't think pushing</div><div>all the blame on to them is accurate.</div><div><br></div><div>The attitude towards security issues and backwards compatibility has a somewhat</div><div>equal share in the causes of the aging security infrastructure of the 2.x line.</div><div>Now this PEP, if accepted, does a lot to resolve the largest offenders of this</div><div>policy (and there has been some signs lately that perhaps going forward this</div><div>will be better) but I think it is not doing anyone a favor if we just point</div><div>fingers *over there* and claim the fault lies with someone else doing or not</div><div>doing something.</div><div><br></div><div>I *don't* want to disparage anyone or anything of that like, mostly to say that</div><div>while of course increased resources from corporate users would help the situation</div><div>immensely but that additionally there is a reasonably sized contingent of</div><div>influential members who still want to treat Python as a hobbyist project and</div><div>not a critical piece of the infrastructure of the Internet as a whole. I</div><div>*don't* want to get help from downstream users, especially on important but</div><div>"boring" or hard issues such as security, and then have them feel shutdown and</div><div>unable to actually get anything done as others who have attempted to resolve</div><div>some of these issues in the past have had happen to them.</div></div><div><br></div><div>
<br>-----------------<br>Donald Stufft<br>PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
</div>
<br></body></html>