On Mar 24, 2014, at 5:38 PM, Nick Coghlan <ncoghlan@gmail.com> wrote:

On 25 Mar 2014 04:00, "Nikolaus Rath" <Nikolaus@rath.org> wrote:
>
> Nick Coghlan <ncoghlan@gmail.com> writes:
> > Maintainability
> > ---------------
> >
> > This policy does NOT represent a commitment by volunteer contributors to
> > actually backport network security related changes from the Python 3 series
> > to the Python 2 series. Rather, it is intended to send a clear signal to
> > potential corporate contributors that the core development team are willing
> > to review and merge corporate contributions that put this policy into
> > effect.
>
> As I understand, at least for smaller patches it is actually more work
> to apply a patch than than to write it. With that in mind, are there
> really sufficient volunteer resources available to review and merge
> these corporate contributions if they come? The issue tracker certainly
> does not lack issues with unreviewed and/or unapplied patches...
At least to start, this would likely be about seeking more upstream time for existing core contributors.
Beyond that, PEP 462 covers another way for corporate users to give back - if they want to build massive commercial enterprises on our software, they can help maintain and upgrade the infrastructure that makes it possible in the first place.
It's potentially worth reading some of the board candidate statements for this year, particularly mine and Van's:
https://wiki.python.org/moin/PythonSoftwareFoundation/BoardCandidates2014
The lack of paid development time for CPython compared to similarly critical projects like the Linux kernel and OpenStack is of grave concern to me personally from a volunteer burnout perspective, and it was a problem at least Van and I were already specifically wanting to address over the next year or so. Over the course of writing the PEP I realised that the situation with the Python 2 network security modules is a perfect example of the kinds of problems that the current lack of upstream engagement and investment can cause.
Cheers,
Nick.
>
>
> Best,
> -Nikolaus
>
> --
> Encrypted emails preferred.
> PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
>
> »Time flies like an arrow, fruit flies like a Banana.«
> _______________________________________________
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com

_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io

I'd like to just go on a brief tangent here.

While I totally agree that it would be incredibly awesome if more companies put

dedicated time into developing and maintaining CPython I don't think pushing

all the blame on to them is accurate.

The attitude towards security issues and backwards compatibility has a somewhat

equal share in the causes of the aging security infrastructure of the 2.x line.

Now this PEP, if accepted, does a lot to resolve the largest offenders of this

policy (and there has been some signs lately that perhaps going forward this

will be better) but I think it is not doing anyone a favor if we just point

fingers *over there* and claim the fault lies with someone else doing or not

doing something.

I *don't* want to disparage anyone or anything of that like, mostly to say that

while of course increased resources from corporate users would help the situation

immensely but that additionally there is a reasonably sized contingent of

influential members who still want to treat Python as a hobbyist project and

not a critical piece of the infrastructure of the Internet as a whole. I

*don't* want to get help from downstream users, especially on important but

"boring" or hard issues such as security, and then have them feel shutdown and

unable to actually get anything done as others who have attempted to resolve

some of these issues in the past have had happen to them.