[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements

[Terry Reedy]

On 3/23/2014 7:48 PM, Nick Coghlan wrote:

> Agreed. That's a key part of why the proposal is mainly about syncing
> certain key modules with their Python 3 counterparts, rather than
> piecemeal backports. That way, all you need to know is "the SSL, hashlib
> and hmac modules are kept in sync with Python 3 feature releases, but
> use the same default settings as the original Python 2.7 release".

If you restrict the proposal to just those three modules, then the 
proposal could be to just add three new modules to 2.7: ssl3, hashlib3, 
and hmac3. Each would be regularly updated backports of the 3.x modules 
with two differences: defaults for settings that exist in 2.7 would 
remain as in 2.7 and would not be updated*, and each module would get a 
.py3_ver x.y.z attribute so code could be conditioned on which backport 
version it is running with.

* though users would be encouraged to use the most secure settings.

-- 
Terry Jan Reedy