[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements
Nick Coghlan
ncoghlan at gmail.com
Sun Mar 23 02:07:26 CET 2014
On 23 March 2014 10:40, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> Am 23.03.14 01:15, schrieb Christian Heimes:
>> On 23.03.2014 01:01, Antoine Pitrou wrote:
>>> This is a bit limited. There are remotely-exploitable security issues
>>> which are still open on the bug tracker; they are not
>>> cryptography-related, but that shouldn't make a difference.
>>>
>>> (for example the dreaded XML issues have never been properly fixed,
>>> AFAICT)
>>
>> True, you may blame me for the situation. Only a handful of people were
>> interested in the XML issues. I ran out of steam and moved to more sapid
>> topics, too
>
> I don't think anybody wanted to assign blame (although I can sympathize
> with your urge to accept the blame). The fact is that this is a
> volunteer project: we do what we can and have fun doing.
Agreed completely - what I'm trying to do here is set up a plan that
is at least *acceptable* to the upstream community, so we can then
seek corporate support for actually putting it into practice (and I'd
advise against us accepting *any* proposal to resolve the situation
without receiving binding commitments to provide ongoing maintenance
support - while I think this proposal is important, I'm under no
illusions that actually implementing it will be fun, and it's not
appropriate to ask people to do that in their own time).
However, we have a *lot* of downstream users and redistributors that
have been taking CPython core development for granted, and by so
doing, they have allowed a situation to develop that has some rather
negative implications for the overall security of networked
communications in the Python ecosystem. Since some of those same
corporate redistributors are a key enabler allowing users to stay on
those old releases that are no longer supported upstream, and others
are likely to be being conservative in their own Python 3 migrations,
I believe they share a lot of the responsibility for helping to
resolve it, either by facilitating the migration to Python 3, helping
to improve the networking security situation in Python 2, or,
preferably, both.
Regards,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev
mailing list