[Python-Dev] PEP 466 (round 3): Python 2 network security enhancements
tjreedy at udel.edu
Tue Mar 25 03:40:24 CET 2014
On 3/24/2014 9:43 AM, Nick Coghlan wrote:
> And time for round 3 :)
And round 3 of my response: contrary to what I said before, I now think
that the base proposal should be the simplest possible: selectively (and
minimally) waive the 'no-enhancement in maintenance release policy' for
future 2.7 releases because certain internet security features have
become dangerously obsolete and socially irresponsible and because 2.7
is exceptional in not having a followup version and will be exceptional
in its amount and length of use.
When we do a brown bag release in 1 to 4 weeks, we break the normal
maintenance interval. We create a nuisance for those who already
downloaded the replaced release. We create a nuisance for those who test
with each maintenance release. But the reason we do that is because we
also have a no-regression policy and we decide that the nuisance of a
quick release is over-ridden by the nuisance of regression -- even if
doing so increases the net user pain over not doing the quick release.
(I personally have not been affected by regressions so far but have been
affected by the new-release nuisance.)
In the area of internet security, standing still for too long is a form
of regression -- in terms of effectiveness.
An enhanced version of 2.7 will be a bit of a nuisance, but only for the
people who use the enhancements. The decreasing effectiveness of static
security modules will also be a nuisance.
Terry Jan Reedy
More information about the Python-Dev