Well I believe Alex did what he did during his work day @ Rackspace. Distros specifically I don’t believe so, although both Alex and myself agreed that it made sense for the SSL changes to wait until after the other changes since it was the largest and most complicated. I think that’s the one where it makes the most sense to try and garner help from Red Hat or the like. Perhaps Nick knows someone at Red Hat we can poke to see if they’d be willing to do the SSL patch :) On May 18, 2014, at 10:28 PM, Guido van Rossum wrote:

Thanks for the update, Donald. Did anyone get any help from Red Hat or other distros?

On Sun, May 18, 2014 at 7:02 PM, Donald Stufft wrote:

On May 18, 2014, at 9:53 PM, Guido van Rossum wrote:

...

On Sun, May 18, 2014 at 5:49 PM, Benjamin Peterson wrote: Greetings Python users, Python 2.7.7 release candidate 1 is now available for download. [...]

http://hg.python.org/cpython/raw-file/e32e3a9f3902/Misc/NEWS

So what became of PEP 466? This Misc/NEWS only mentions hmac.compare_digest.

-- --Guido van Rossum (python.org/~guido) _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/donald%40stufft.io

The SSL changes were too large to get done before 2.7.7

The pbkdf2 has a patch sitting on the tracker (http://bugs.python.org/issue21304) Alex wanted someone to review before commit. I looked over it but I don’t feel strong enough in C code to call it a proper review.

The guaranteed_algorithms bug depends on the pbkdf2 bug (http://bugs.python.org/issue21307)

The os.urandom change had some argument and some concern that the related change in 3.4 was still new and had some bugs being ironed out so it was punted until 2.7.8 (http://bugs.python.org/issue21305)

And that was everything from PEP 466.

----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-- --Guido van Rossum (python.org/~guido)

----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

On 19 May 2014 12:35, Guido van Rossum wrote:

At the very least PEP 466 needs to be updated to admit the failure -- it would be a shame if people read the PEP and assumed the promised features actually landed in 2.7.7 (which the PEP explicitly lists).

Will do - I'll update that to reference the specific issues tracking the implementation of the individual elements. On a related note, I was also thinking about adding a new section to the What's New in Python 2.7 doc. Specifically, a new "Security Enhancements in Maintenance Releases" section after the existing "The Future of Python 2.x" section. That would reference PEP 466 for background, and then list the specific maintenance releases where these features have been added (so just the one 2.7.7 entry for hmac.compare_digest to start with). I'd also add a direct link to PEP 373 (the 2.7 release schedule PEP) from the first bullet point under "The Future of Python 2.x" section (as well as rewording that point to better reflect the current state of things) Regards, Nick. P.S. As far as additional development resources for long term upstream CPython maintenance go - I'm working on it (and my understanding is that folks at other orgs are as well). Personally, I'm still in the gap between "that's likely a good idea" and actually translating the concept into available developer time. While Heartbleed has helped raise awareness of the whole "What are we depending on without committing sufficient development resources to long term maintenance?" problem, large orgs still don't tend to move that fast :) -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia