[Python-Dev] Proposed schedule for 3.4.2

Nick Coghlan ncoghlan at gmail.com
Mon Sep 8 14:08:21 CEST 2014

On 8 September 2014 14:28, Ned Deily <nad at acm.org> wrote:
> In article <540C521C.7070802 at hastings.org>,
>  Larry Hastings <larry at hastings.org> wrote:
>> Matthias asked me when I was going to release 3.4.2.  I propose the
>> following schedule:
>>     Tag 3.4.2rc1 Friday Sep 12 2014
>>     Release 3.4.2rc1 Saturday Sep 13 2014
>>     Tag 3.4.2 final Saturday Sep 27 2014
>>     Release 3.4.2 final Sunday Sep 28 2014
>> Normally I want to tag on Saturdays and release on Sundays, however I
>> propose moving rc1 a day earlier because I'll be unavailable that Sunday.
>> Any objections?  I will interpret silence as tacit approval.
> As I've already discussed with Larry, I think adding a week to the
> scheduled dates would be preferable.  The original dates give pretty
> short notice and there are a number of open issues that would be good to
> resolve now in 3.4.2.

It would also be good to get Guido's official verdict on PEP 476 (the
switch to validating HTTPS by default) in time for 3.4.2. Based on the
previous discussion, Alex updated the PEP to suggest "just fix it" for
all of 3.5, 3.4.x and 2.7.x (including the httplib SSLContext support
backport in the latter case).

I think that would be feasible with an rc on the 20th, but challenging
if the rc is this coming weekend.

Note, as I stated in the previous thread, I'm now +1 on that PEP,
because I don't see any way to write an automated scan for a large
code base that ensures we're not relying on the default handling at
all. If the default behaviour is to validate HTTPS, the lack of such a
scanner isn't a problem - any failures to cope with self-signed or
invalid certs will be noisy, and we can either fix the certs, patch
the code to cope with them appropriately, or (for the self-signed cert
case) configure OpenSSL via environment variables. If dealing with
invalid certs is truly necessary, and the code can't be updated
either, then I'm OK with the answer being "keep using an older version
of Python, as that's going to be the least of your security concerns".


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list