[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements

Nick Coghlan ncoghlan at gmail.com
Sun Mar 23 00:20:41 CET 2014


On 23 March 2014 09:07, Donald Stufft <donald at stufft.io> wrote:
> As someone who is deeply biased towards improving the packaging tool chain
> and getting people to use it I think that most people will simply use the
> Stdlib even if a more secure alternative exists. Infact one does exist and I
> still see almost everyone using the stdlib ssl instead of pyopenssl. At best
> they have an optional dependency on it which many people who aren't security
> conscious won't even realize why they should install it.

I should probably mention explicitly in the PEP that security related
packages almost always involve somewhat tricky binary dependencies,
and while we're working on it, our packaging ecosystem will still
sometimes deliver a poor user experience on that front.

There's also an inherent divide between "using an old version of
Python" and "willing to use new dependencies from pip". They're not
disjoint sets (plenty of folks use the CentOS system Python + pip),
but I expect there's a large enough population of conservative
corporate users on older versions that won't use a pip based solution
even if its available, thus not really solving the problem.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia


More information about the Python-Dev mailing list