[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements

[Skip Montanaro]

On Sat, Mar 22, 2014 at 11:31 PM, Terry Reedy <tjreedy at udel.edu> wrote:
> The download page for the final 2.7.z maintenance release could say
> something like "We recommend that you move to the most recent Python 3
> version if at all possible. If you cannot do that and you want to use Python
> to run a server on the public internet, we urge you to instead use the
> latest version of ServerPython 2.7.1s. This series is based on Python 2.7.z
> but has been and will continue to be enhanced with security features
> backported from Python 3."

I'm unclear how this would be better than just biting the bullet and
making a 2.8 release. On the one hand, the 2.7.x number suggests
(based on the existing release protocol) that it should be a drop-in
replacement for earlier 2.7 micro releases. On the other hand, calling
it something like "ServerPython" implies that it's not necessary for
network client applications, when, if I read the PEP correctly, it
most certainly would be.

If you create a 2.8 release which is restricted to just the topic
areas of the PEP (that is, no other stuff backported from 3.x, no
requirement to add other non-security bug fixes, etc), the incremented
minor version number tells people that a bit of extra care is required
to upgrade. The lack of change in the code base outside the security
apparatus should make update pretty trivial for most every
non-networked application. If the PEP or something like it is
approved, the work is still going to have to be done, no matter what
you call it. Why not be transparent about it?

Skip