On 17 November 2015 at 20:33, Victor Stinner <victor.stinner@gmail.com> wrote:
2015-11-17 1:00 GMT+01:00 Guido van Rossum <guido@python.org>:
Hm, making Christian the BDFL-delegate would mean two out of three authors *and* the BDFL-delegate all working for Red Hat, which clearly has a stake (and IIUC has already committed to this approach ahead of PEP approval). SO then it would look like this is just rubber-stamping Red Hat's internal decision process (if it's a process -- sounds more like an accident :-).
Can we try to get a vote from maintainers of the Python2/3 packages of other Linux distributions? Debian, Ubuntu, OpenSUSE, etc.?
I know Oracle were interested based on a discussion between them and a member of Red Hat's product security team about it on oss-security, but their devs never followed up on it upstream (even after an explicit suggestion that they do so), so I'm interpreting that as willingness to go along with whatever happens in RHEL. For Debian, Ubuntu and SUSE, their original determinations for the relevant CVE were "too intrusive to backport", so folks currently need to upgrade to newer versions of those distros to get the improved default behaviour: * http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9365.html * https://security-tracker.debian.org/tracker/CVE-2014-9365 * https://www.suse.com/security/cve/CVE-2014-9365.html If having an opt-in backwards-compatible-by-default approach available (albeit as a PEP 466+476+493 patch set in the RHEL/CentOS system Python 2.7.5 package) prompts other distro security teams to reconsider those initial assessments, that would be a nice outcome, but it isn't my own main priority (so Guido makes a good point in favouring finding a non-Red-Hatter willing to act as BDFL-Delegate) Regards, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia