[Python-checkins] peps: PEP 466: restore some rationale lost in final edits

nick.coghlan python-checkins at python.org
Mon May 12 12:55:24 CEST 2014 

http://hg.python.org/peps/rev/260c06fc4882
changeset:   5473:260c06fc4882
user:        Nick Coghlan <ncoghlan at gmail.com>
date:        Mon May 12 20:50:35 2014 +1000
summary:
  PEP 466: restore some rationale lost in final edits

files:
  pep-0466.txt |  41 ++++++++++++++++++++++++++++++++++++++++
  1 files changed, 41 insertions(+), 0 deletions(-)


diff --git a/pep-0466.txt b/pep-0466.txt
--- a/pep-0466.txt
+++ b/pep-0466.txt
@@ -322,6 +322,47 @@
 Enterprise Linux and its downstream derivatives.
 
 
+Why these particular changes?
+-----------------------------
+
+The key requirement for a feature to be considered for inclusion in this
+proposal was that it must have security implications *beyond* the specific
+application that is written in Python and the system that application is
+running on. Thus the focus on network security protocols, password storage
+and related cryptographic infrastructure - Python is a popular choice for
+the development of web services and clients, and thus the capabilities of
+widely used Python versions have implications for the security design of
+other services that may themselves be using newer versions of Python or
+other development languages, but need to interoperate with clients or
+servers written using older versions of Python.
+
+The intent behind this requirement was to minimise any impact that the
+introduction of this policy may have on the stability and compatibility of
+maintenance releases, while still addressing some key security concerns
+relating to the particular aspects of Python 2.7. It would be thoroughly
+counterproductive if end users became as cautious about updating to new
+Python 2.7 maintenance releases as they are about updating to new feature
+releases within the same release series.
+
+The ``ssl`` module changes are included in this proposal to bring the
+Python 2 series up to date with the past 4 years of evolution in network
+security standards, and make it easier for those standards to be broadly
+adopted in both servers and clients. Similarly the hash algorithm
+availability indicators in ``hashlib`` are included to make it easier for
+applications to detect and employ appropriate hash definitions across both
+Python 2 and 3.
+
+The ``hmac.compare_digest()`` and ``hashlib.pbkdf2_hmac()`` are included to
+help lower the barriers to secure password storage and checking in Python 2
+server applications.
+
+The os.urandom change has been included in this proposal to help encourage
+users to leave the task of providing high quality random numbers for
+cryptographic use case to operating system vendors (as this is a genuinely
+hard problem, and operating system developers have more tools available to
+deal with it than Python application runtimes)
+
+
 Rejected alternative: just advise developers to migrate to Python 3
 -------------------------------------------------------------------
 

-- 
Repository URL: http://hg.python.org/peps

More information about the Python-checkins mailing list