Python 2.7.7 and PEP 466
On Sun, May 18, 2014 at 5:49 PM, Benjamin Peterson
Greetings Python users, Python 2.7.7 release candidate 1 is now available for download. [...]
http://hg.python.org/cpython/raw-file/e32e3a9f3902/Misc/NEWS
So what became of PEP 466? This Misc/NEWS only mentions hmac.compare_digest. -- --Guido van Rossum (python.org/~guido)
On May 18, 2014, at 9:53 PM, Guido van Rossum
On Sun, May 18, 2014 at 5:49 PM, Benjamin Peterson
wrote: Greetings Python users, Python 2.7.7 release candidate 1 is now available for download. [...] http://hg.python.org/cpython/raw-file/e32e3a9f3902/Misc/NEWS
So what became of PEP 466? This Misc/NEWS only mentions hmac.compare_digest.
-- --Guido van Rossum (python.org/~guido) _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
The SSL changes were too large to get done before 2.7.7 The pbkdf2 has a patch sitting on the tracker (http://bugs.python.org/issue21304) Alex wanted someone to review before commit. I looked over it but I don’t feel strong enough in C code to call it a proper review. The guaranteed_algorithms bug depends on the pbkdf2 bug (http://bugs.python.org/issue21307) The os.urandom change had some argument and some concern that the related change in 3.4 was still new and had some bugs being ironed out so it was punted until 2.7.8 (http://bugs.python.org/issue21305) And that was everything from PEP 466. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Thanks for the update, Donald. Did anyone get any help from Red Hat or
other distros?
On Sun, May 18, 2014 at 7:02 PM, Donald Stufft
On May 18, 2014, at 9:53 PM, Guido van Rossum
wrote: On Sun, May 18, 2014 at 5:49 PM, Benjamin Peterson
wrote: Greetings Python users, Python 2.7.7 release candidate 1 is now available for download. [...]
http://hg.python.org/cpython/raw-file/e32e3a9f3902/Misc/NEWS
So what became of PEP 466? This Misc/NEWS only mentions hmac.compare_digest.
-- --Guido van Rossum (python.org/~guido) _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
The SSL changes were too large to get done before 2.7.7
The pbkdf2 has a patch sitting on the tracker ( http://bugs.python.org/issue21304) Alex wanted someone to review before commit. I looked over it but I don’t feel strong enough in C code to call it a proper review.
The guaranteed_algorithms bug depends on the pbkdf2 bug ( http://bugs.python.org/issue21307)
The os.urandom change had some argument and some concern that the related change in 3.4 was still new and had some bugs being ironed out so it was punted until 2.7.8 (http://bugs.python.org/issue21305)
And that was everything from PEP 466.
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-- --Guido van Rossum (python.org/~guido)
Well I believe Alex did what he did during his work day @ Rackspace.
Distros specifically I don’t believe so, although both Alex and myself agreed that it
made sense for the SSL changes to wait until after the other changes since it was
the largest and most complicated. I think that’s the one where it makes the most
sense to try and garner help from Red Hat or the like.
Perhaps Nick knows someone at Red Hat we can poke to see if they’d be willing
to do the SSL patch :)
On May 18, 2014, at 10:28 PM, Guido van Rossum
Thanks for the update, Donald. Did anyone get any help from Red Hat or other distros?
On Sun, May 18, 2014 at 7:02 PM, Donald Stufft
wrote: On May 18, 2014, at 9:53 PM, Guido van Rossum
wrote: On Sun, May 18, 2014 at 5:49 PM, Benjamin Peterson
wrote: Greetings Python users, Python 2.7.7 release candidate 1 is now available for download. [...] http://hg.python.org/cpython/raw-file/e32e3a9f3902/Misc/NEWS
So what became of PEP 466? This Misc/NEWS only mentions hmac.compare_digest.
-- --Guido van Rossum (python.org/~guido) _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io
The SSL changes were too large to get done before 2.7.7
The pbkdf2 has a patch sitting on the tracker (http://bugs.python.org/issue21304) Alex wanted someone to review before commit. I looked over it but I don’t feel strong enough in C code to call it a proper review.
The guaranteed_algorithms bug depends on the pbkdf2 bug (http://bugs.python.org/issue21307)
The os.urandom change had some argument and some concern that the related change in 3.4 was still new and had some bugs being ironed out so it was punted until 2.7.8 (http://bugs.python.org/issue21305)
And that was everything from PEP 466.
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-- --Guido van Rossum (python.org/~guido)
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
At the very least PEP 466 needs to be updated to admit the failure -- it would be a shame if people read the PEP and assumed the promised features actually landed in 2.7.7 (which the PEP explicitly lists).
On 19 May 2014 12:35, Guido van Rossum
At the very least PEP 466 needs to be updated to admit the failure -- it would be a shame if people read the PEP and assumed the promised features actually landed in 2.7.7 (which the PEP explicitly lists).
Will do - I'll update that to reference the specific issues tracking the implementation of the individual elements. On a related note, I was also thinking about adding a new section to the What's New in Python 2.7 doc. Specifically, a new "Security Enhancements in Maintenance Releases" section after the existing "The Future of Python 2.x" section. That would reference PEP 466 for background, and then list the specific maintenance releases where these features have been added (so just the one 2.7.7 entry for hmac.compare_digest to start with). I'd also add a direct link to PEP 373 (the 2.7 release schedule PEP) from the first bullet point under "The Future of Python 2.x" section (as well as rewording that point to better reflect the current state of things) Regards, Nick. P.S. As far as additional development resources for long term upstream CPython maintenance go - I'm working on it (and my understanding is that folks at other orgs are as well). Personally, I'm still in the gap between "that's likely a good idea" and actually translating the concept into available developer time. While Heartbleed has helped raise awareness of the whole "What are we depending on without committing sufficient development resources to long term maintenance?" problem, large orgs still don't tend to move that fast :) -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
On Sun, May 18, 2014, at 18:53, Guido van Rossum wrote:
On Sun, May 18, 2014 at 5:49 PM, Benjamin Peterson
wrote: Greetings Python users, Python 2.7.7 release candidate 1 is now available for download. [...]
http://hg.python.org/cpython/raw-file/e32e3a9f3902/Misc/NEWS
So what became of PEP 466? This Misc/NEWS only mentions hmac.compare_digest.
It didn't get completely done. Mostly of it will land in 2.7.8 presumably.
participants (4)
-
Benjamin Peterson
-
Donald Stufft
-
Guido van Rossum
-
Nick Coghlan