On 24 November 2015 at 13:20, Nick Coghlan <ncoghlan@gmail.com> wrote:
I believe you're referring mainly to the original PEP 476 change there. In the context of PEP 493, this is another group that would potentially benefit from the suggested "security downgrade" environment variable (if any redistributors decide to implement that - RHEL doesn't as yet), since it would provide a way to restore the old behaviour without changing their client code or monkeypatching the SSL module as described in PEP 476.
I'm actually referring to the fact that your classification didn't seem to include people who have no control over their infrastructure (except in class 1 which implies ignorance rather than powerlessness...). PEP 493 is of benefit to such people, so there's now downside in explicitly noting this. My concern is that *because* people consistently forget about the class of people who have to put up with bad infrastructure but can't do anything about it, we risk promoting a sense of "security as the enemy" - which is the direct opposite of what we're trying to do. I have no interest or opinion regarding this PEP itself, but I would like to see "people who have to put up with whatever infrastructure they are dumped with, and use Python to ease that burden" recognised as an important class of user. They are very under-represented in discussions, as it's usually big business closed source and similar environments that are in that situation. Simply adding "people who have no control over their broken infrastructure" with a note that this PEP helps them, would be sufficient here (and actually helps the case for the PEP, so why not? ;-)) Apologies, this is a bit of a hobby horse of mine, I'll pipe down now. Paul.