[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements

Barry Warsaw barry at python.org
Mon Mar 24 00:24:29 CET 2014


On Mar 23, 2014, at 01:01 AM, Antoine Pitrou wrote:

>But enforcing "secure by default" can by construction break backwards
>compatibility, which is the very reason we are so conservative with
>such changes.

Also, many developers who are stuck on Python 2 have already evaluated,
designed, and implemented workarounds for security issues in ancient stdlib
code.  You have to be very careful that any changes in some future 2.7 stdlib
secure-by-default release doesn't break those workarounds.  That's a "trick
question" too because you can't know all of them.

I didn't read the PEP until just now, so I never saw the first draft.  As
written it still makes me uncomfortable because as Antoine says, lots of
changes could be classified as "security related" and we definitely don't want
this PEP to be used as a wedge to make a wink-wink-nudge-nudge release of
Python 2.8.

I think the key point for consumers of Python has to be *predictability*.

-Barry


More information about the Python-Dev mailing list