[Distutils] Announcement: TLSv1.2 will become mandatory in the future

Donald Stufft donald at stufft.io
Wed Jan 11 22:00:33 EST 2017 

> On Jan 11, 2017, at 9:58 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> 
> On 12 January 2017 at 04:26, Brett Cannon <brett at python.org> wrote:
>> 
>> On Tue, 10 Jan 2017 at 12:51 Donald Stufft <donald at stufft.io> wrote:
>>> 
>>> [SNIP]
>>> 
>>> 
>>> It would be really nice if we could deprecate `ssl` (which has a bunch of
>>> OpenSSL specific stuff in it) and add a new `tls` module that served as an
>>> implementation agnostic library that would use OpenSSL on *nix,
>>> SecureTransport on macOS, and SChannel on Windows. However, in the mean time
>>> there are some folks poking to see about making something pip suitable that
>>> will enable us to use SecureTransport at least.
>> 
>> 
>> I know both Cory Benfield and Christian Heimes brought this up briefly at
>> the PyCon US 2016 language summit at the end of their SSL discussion, but I
>> don't think it went anywhere because there was some other discussion that
>> dominated the end of their talk (I've now tweeted at them about this
>> discussion).
>> 
>> I know Steve has also said he would love to see a agnostic TLS library so
>> that Windows' built-in libraries for this stuff could be directly used. With
>> the predicament this is going to put us in I think it makes it very prudent
>> to create a tls module for the stdlib.
> 
> Logistically, something I think we should explore for such a module is
> using the same ensuretls/tls split that we did for ensurepip/pip. That
> way it can be more readily updated in line with the evolution of
> network security standards and operating system crpytographic APIs,
> rather than being locked into being updated in line with the evolution
> of the Python language definition.
> 


This doesn’t work well because it’s not something that pip is going to be able to upgrade on Windows, because the .so will be locked when pip imports it on Windows and we won’t be able to uninstall it to do an upgrade. We had to disable the automatic use of pyOpenSSL for this reason too. The only C stuff that pip can reliably use is the standard library.

—
Donald Stufft



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170111/c0fd5b2d/attachment-0001.html>

More information about the Distutils-SIG mailing list