[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements

Paul Moore p.f.moore at gmail.com
Sun Mar 23 00:23:02 CET 2014


On 22 March 2014 23:07, Donald Stufft <donald at stufft.io> wrote:
> As someone who is deeply biased towards improving the packaging tool chain
> and getting people to use it I think that most people will simply use the
> Stdlib even if a more secure alternative exists. Infact one does exist and I
> still see almost everyone using the stdlib ssl instead of pyopenssl. At best
> they have an optional dependency on it which many people who aren't security
> conscious won't even realize why they should install it.

Windows users typically will not be able to use something like
pyopenssl. It's a complex binary dependency with no wheel on PyPI.
There are no easily locatable wininst installers, even - and those are
messy to use in a virtualenv.

While the stdlib modules may have issues, "depend on pyopenssl" is not
a practical solution for many people.
Paul


More information about the Python-Dev mailing list