[Python-Dev] PEP 466 (round 2): Network security enhancements for Python 2.7

Terry Reedy tjreedy at udel.edu
Tue Mar 25 01:58:10 CET 2014 

On 3/24/2014 7:04 PM, Donald Stufft wrote:
>
> On Mar 24, 2014, at 5:38 PM, Nick Coghlan <ncoghlan at gmail.com
> <mailto:ncoghlan at gmail.com>> wrote:

>> Beyond that, PEP 462 covers another way for corporate users to give
>> back - if they want to build massive commercial enterprises on our
>> software, they can help maintain and upgrade the infrastructure that
>> makes it possible in the first place.
>>
>> It's potentially worth reading some of the board candidate statements
>> for this year, particularly mine and Van's:
>>
>> https://wiki.python.org/moin/PythonSoftwareFoundation/BoardCandidates2014

I read all of them.

>> The lack of paid development time for CPython compared to similarly
>> critical projects like the Linux kernel and OpenStack is of grave
>> concern to me personally from a volunteer burnout perspective,

I am glad to read that. Some of the expert professional core developers 
scoff at me being burned out from News Merge Hell and push race losses.

 >> and it
>> was a problem at least Van and I were already specifically wanting to
>> address over the next year or so. Over the course of writing the PEP I
>> realised that the situation with the Python 2 network security modules
>> is a perfect example of the kinds of problems that the current lack of
>> upstream engagement and investment can cause.

> I'd like to just go on a brief tangent here.
>
> While I totally agree that it would be incredibly awesome if more
> companies put
> dedicated time into developing and maintaining CPython I don't think pushing
> all the blame on to them is accurate.

For all I know, PSF has not yet asked in the right way, whatever that 
would be.

> will be better) but I think it is not doing anyone a favor if we just point
> fingers *over there* and claim the fault lies with someone else doing or not
> doing something.

I agree that we should better figure out what to go going forward.

> I *don't* want to disparage anyone or anything of that like, mostly to
> say that
> while of course increased resources from corporate users would help the
> situation
> immensely but that additionally there is a reasonably sized contingent of
> influential members who still want to treat Python as a hobbyist project and
> not a critical piece of the infrastructure of the Internet as a whole.

I find that surprising as I do not personally know any such people. To 
me, Python is both. My only objection is to corporatists who want to 
exclude amateur and hobbyist projects, for instance from PyPI (which I 
believe started as a hobbyist project).

I personally would like someone paid full-time to upgrade the commit 
infrastructure, as soon possible. to make current committers more 
productive and make becoming a committer more attractive. Then I would 
like 2 people paid, one for doc issues, one to code, to work on the 
backlog of contributed patches. I know that are people who are not 
contributing any more because their previous contributions have sat 
unattended to.

> I
> *don't* want to get help from downstream users, especially on important but
> "boring" or hard issues such as security, and then have them feel
> shutdown and
> unable to actually get anything done as others who have attempted to resolve
> some of these issues in the past have had happen to them.

Just from reading pydev, I am not familiar with such events and cannot 
comment.

-- 
Terry Jan Reedy

More information about the Python-Dev mailing list