[Python-Dev] PEP 466 (round 3): Python 2 network security enhancements

Terry Reedy tjreedy at udel.edu
Tue Mar 25 03:40:24 CET 2014

On 3/24/2014 9:43 AM, Nick Coghlan wrote:
> And time for round 3 :)

And round 3 of my response: contrary to what I said before, I now think 
that the base proposal should be the simplest possible: selectively (and 
minimally) waive the 'no-enhancement in maintenance release policy' for 
future 2.7 releases because certain internet security features have 
become dangerously obsolete and socially irresponsible and because 2.7 
is exceptional in not having a followup version and will be exceptional 
in its amount and length of use.

When we do a brown bag release in 1 to 4 weeks, we break the normal 
maintenance interval. We create a nuisance for those who already 
downloaded the replaced release. We create a nuisance for those who test 
with each maintenance release. But the reason we do that is because we 
also have a no-regression policy and we decide that the nuisance of a 
quick release is over-ridden by the nuisance of regression -- even if 
doing so increases the net user pain over not doing the quick release. 
(I personally have not been affected by regressions so far but have been 
affected by the new-release nuisance.)

In the area of internet security, standing still for too long is a form 
of regression  -- in terms of effectiveness.

An enhanced version of 2.7 will be a bit of a nuisance, but only for the 
people who use the enhancements. The decreasing effectiveness of static 
security modules will also be a nuisance.

Terry Jan Reedy

More information about the Python-Dev mailing list