[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements

Cory Benfield cory at lukasa.co.uk
Sat Mar 22 22:17:17 CET 2014

On 22 March 2014 at 21:11:24, Nick Coghlan (ncoghlan at gmail.com(mailto:ncoghlan at gmail.com)) wrote:

> Folks,
> I have just posted a proposal to change the way we treat enhancements
> that relate to Python's support for network security enhancements. I
> now see these as categorically different from most other enhancements,
> as they have implications for the evolution of internet security as a
> whole, rather than being limited to affecting the security of
> individual applications written in Python.

I am 100%, overwhelmingly in favour of this. Without this PEP, Python 2.7
is a security liability, any it becomes nothing short of irresponsible to
use Python 2.7 for any form of networking code that hits the open

On top of that, the current state of the ssl module means that Python 2.7
and earlier cannot ever support a standard-compliant implementation of
things like HTTP/2. That’s a fairly tragic state of affairs for 2.7,
especially if we’re supposed to claim with a straight face that it’s
acceptable to still use Python 2.7.

Treat this as my strong +1. Additionally, I’m happy to volunteer my time
and limited expertise to help make this happen. I’ll help work on
back porting things, review code, write docs: whatever it takes to get
this to happen.

More information about the Python-Dev mailing list