On Nov 24, 2015, at 10:18 AM, Nick Coghlan wrote:
Since we already know Red Hat are OK with the draft recommendations, and I missed the RHEL 7.2 release date anyway, perhaps Barry or Matthias might be interested in tilting at the Ubuntu 14.04 LTS stable release update windmill? I know there was previously a decision from Ubuntu Security not to backport PEPs 466 & 476 to 2.7.5 due to the stability risks [1], but the configuration file based approach recommended in PEP 493 is backwards compatible by default
Right, but this isn't a patch we'd particularly want to carry ourselves. Maybe if it were available upstream, tried and tested, it could be considered for backporting, but it still wouldn't be zero cost. We'd have to also handle migration paths to newer Ubuntu releases, which probably means removing the config file on future upgrades. There's also the possibility of implementing different defaults on new installs of 14.04 versus upgrades to 14.04. And even if a system administrator enabled it for one particular application, it could break other applications on the same machine, so it just punts a difficult decision down the line. We're also not seeing much (any?) demand from our users, and the initial attempt at turning this on by default *did* get a strong negative reaction because of the compatibility break. I'm concerned about accepting PEP 493 making a strong recommendation to downstreams. Yes, in an ideal world we all want security by default, but I think the backward compatibility concerns of the PEP are understated, especially as they relate to a maintenance release of a stable long term support version of the OS. I don't want PEP 493 to be a cudgel that people beat us up with instead of having an honest discussion of the difficult trade-offs involved. Having said all that, I think informing people of the issue, and letting any future reconsideration be demand driven is the right approach for now. $0.02-ly y'rs, -Barry