[Python-Dev] PEP 466 (round 4): Python 2.7 network security enhancements

[Paul Moore]

On 25 March 2014 13:09, Nick Coghlan <ncoghlan at gmail.com> wrote:
> * MvL has indicated he is not prepared to tackle the task of trying to
>   integrate a newer OpenSSL into the also aging Python 2.7 build
>   infrastructure on Windows (unfortunately, we've looked into upgrading
>   that build infrastructure, and the backwards compatibility issues
>   appear to be effectively insurmountable). We would require a commitment
>   from another trusted contributor to handle at least this task, and
>   potentially also taking over the task of creating the official
>   Python 2.7 Windows installers for the remaining Python 2.7 maintenance
>   releases.

One issue that strikes me is that much of the focus of this PEP is on
supporting Linux distributions. This is entirely reasonable, as they
are the ones with the sort of long-term support commitments that
result in this issue (in the Windows world, possibly ActiveState offer
formal support for Python 2.7, but otherwise I'm not aware of actual
paid support options that might be relevant on Windows). With that in
mind, is it reasonable to expect Linux vendors to support delivery of
updated Windows builds of Python 2.7? If not, is it acceptable to
python-dev to release a Python 2.7 maintenance release with backported
security enhancements only available for Linux? (The same questions
can be asked of OSX or Solaris support - this isn't solely a Windows
issue).

I think the PEP needs to be explicit here about what python-dev expect
in terms of cross-platform support. I would assume that the
expectation is that we deliver exactly the same level of
cross-platform support as for 3.x, but commercial vendors could quite
easily miss that implication if it is not spelled out.

Paul