[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements

Nick Coghlan ncoghlan at gmail.com
Tue Mar 25 23:15:29 CET 2014 

On 26 Mar 2014 01:19, "Brett Cannon" <bcannon at gmail.com> wrote:
> As long as we make it clear we have chosen to change our
backwards-compatibility guarantees in the name of security and have a link
to the last backwards-compatible release then I agree as well.

I am not sure how this meme got started, but let me be clear: the proposed
policy DOES NOT provide blanket permission to break backwards compatibility
in the affected modules. It only allows ADDING new features to bring these
modules into line with their Python 3 counterparts, making it easier for
third party packages like requests to do the right thing in a cross-version
compatible way.

The "use feature detection, not version checks" guidelines in the PEP are
designed to deal with the concerns around subsequently missing features in
the existing Python 2.7 releases.

The remaining concern appears to be largely around the slightly increased
chance of regressions that comes with making larger changes to these
modules in order to incorporate the new features. Given our regression test
suite, and those of other projects like OpenStack and components of the
Linux distributions, I now consider that concern to be entirely misplaced.

The only "backwards compatibility breaks allowed" general exemption applies
to the new "ssl.create_default_context()" function, which *is* defined as
allowing backwards incompatible changes to keep up with evolving security
requirements. That exemption is in the documentation of that API, though -
the only impact of this PEP would be to also make that API available in
2.7.7+.

Regards,
Nick.

>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140326/91ecf53a/attachment-0001.html>

More information about the Python-Dev mailing list