On Jul 29, 2015 11:08 AM, "Robert Collins" <robertc@robertcollins.net> wrote:
>
> On 30 July 2015 at 04:50, Guido van Rossum <guido@python.org> wrote:
> > The more recent Python 2.7 bugfix releases have
> > specific exemptions from the backwards compatibility requirements for
> > security fixes -- because their lifespan will still be many years (EOL of
> > 2.7 is summer 2020).
> [snip]
> https://docs.python.org/devguide/devcycle.html#security-branches
> "...The only changes made to a security branch are those fixing issues
> exploitable by attackers such as crashes, privilege escalation and,
> optionally, other issues such as denial of service attacks. Any other
> changes are not considered a security risk and thus not backported to
> a security branch."
>
> This page doesn't specify the exception for 2.7, and by my poor
> reading of it the http issue wouldn't pass muster - but I think it was
> appropriate to apply. So I'm confused. Help :).

See PEP 466.

https://www.python.org/dev/peps/pep-0466/

-eric