[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
Benjamin Peterson
benjamin at python.org
Sun Mar 23 00:36:59 CET 2014
On Sat, Mar 22, 2014, at 16:34, Antoine Pitrou wrote:
> On Sun, 23 Mar 2014 09:08:29 +1000
> Nick Coghlan <ncoghlan at gmail.com> wrote:
> > On 23 March 2014 08:53, Ben Darnell <ben at bendarnell.com> wrote:
> > > I agree wholeheartedly with the sentiment behind this PEP, but I have
> > > concerns about the implementation. If we introduce new APIs into the ssl
> > > module then we will see packages and applications that depend on Python
> > > 2.7.7+, just like with the introduction of bool in 2.2.1. This will be a
> > > mess unless adoption of new Python minor versions is swift and consistent.
> > > The PEP says that new features should be testable with feature detection,
> > > but how far does that go? The Python 3 NPN interface is a method of
> > > SSLContext, which didn't exist in 2.7. Do we backport the entire SSLContext
> > > interface in a minor release, or introduce a new NPN interface that is not
> > > based on SSLContext just for older Pythons?
> >
> > The whole thing.
>
> Have you first tried to do it and appreciate the amount of disruption
> it would cause?
>
> > It's not just ssl2: you needs os2, random2, ftplib2, poplib2,
> > imaplib2, smtplib2. You also run headlong into the problem of a
> > complex external dependency on OpenSSL (which the Linux distro
> > repackagers currently handle for us).
>
> So are you proposing to backport changes to all these modules too? This
> sounds crazy.
If one reads the PEP, one will notice it indeed proposes a "conditional"
exception for "networking related modules that depend on one or more of
the network security related modules [ssl, hashlib,...]".
More information about the Python-Dev
mailing list