[Python-Dev] PEP 466 (round 2): Network security enhancements for Python 2.7

Nick Coghlan ncoghlan at gmail.com
Tue Mar 25 09:11:49 CET 2014 

On 25 March 2014 09:04, Donald Stufft <donald at stufft.io> wrote:
> On Mar 24, 2014, at 5:38 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> While I totally agree that it would be incredibly awesome if more companies
> put
> dedicated time into developing and maintaining CPython I don't think pushing
> all the blame on to them is accurate.
>
> The attitude towards security issues and backwards compatibility has a
> somewhat
> equal share in the causes of the aging security infrastructure of the 2.x
> line.
> Now this PEP, if accepted, does a lot to resolve the largest offenders of
> this
> policy (and there has been some signs lately that perhaps going forward this
> will be better) but I think it is not doing anyone a favor if we just point
> fingers *over there* and claim the fault lies with someone else doing or not
> doing something.
>
> I *don't* want to disparage anyone or anything of that like, mostly to say
> that
> while of course increased resources from corporate users would help the
> situation
> immensely but that additionally there is a reasonably sized contingent of
> influential members who still want to treat Python as a hobbyist project and
> not a critical piece of the infrastructure of the Internet as a whole. I
> *don't* want to get help from downstream users, especially on important but
> "boring" or hard issues such as security, and then have them feel shutdown
> and
> unable to actually get anything done as others who have attempted to resolve
> some of these issues in the past have had happen to them.

I actually agree with this (hence why I wrote the PEP in the first
place), I just became really, really, really, annoyed with certain
organisations over the course of writing the PEP drafts and that is
reflected in the tone of the latest draft. However, in deliberately
not naming names, I now realise I've left it open to *other*
organisations thinking "Does he mean us? How is this our fault?". For
clarification: if an org is guessing whether or not I was referring to
them in particular while drafting the PEP, then no, I'm not. The
specific organisations concerned are in absolutely no doubt as to the
fact I'm genuinely angry with them.

That said, while it certainly made me feel better at the time, I agree
some of the current phrasing is not actually helpful in resolving the
situation amicably for the benefit of all concerned, so I'll revise
the offending sections of the PEP :)

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list