[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)

[Nick Coghlan]

On 17 November 2015 at 20:33, Victor Stinner <victor.stinner at gmail.com> wrote:
> 2015-11-17 1:00 GMT+01:00 Guido van Rossum <guido at python.org>:
>> Hm, making Christian the BDFL-delegate would mean two out of three
>> authors *and* the BDFL-delegate all working for Red Hat, which clearly
>> has a stake (and IIUC has already committed to this approach ahead of
>> PEP approval). SO then it would look like this is just rubber-stamping
>> Red Hat's internal decision process (if it's a process -- sounds more
>> like an accident :-).
>
> Can we try to get a vote from maintainers of the Python2/3 packages of
> other Linux distributions? Debian, Ubuntu, OpenSUSE, etc.?

I know Oracle were interested based on a discussion between them and a
member of Red Hat's product security team about it on oss-security,
but their devs never followed up on it upstream (even after an
explicit suggestion that they do so), so I'm interpreting that as
willingness to go along with whatever happens in RHEL.

For Debian, Ubuntu and SUSE, their original determinations for the
relevant CVE were "too intrusive to backport", so folks currently need
to upgrade to newer versions of those distros to get the improved
default behaviour:

* http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9365.html
* https://security-tracker.debian.org/tracker/CVE-2014-9365
* https://www.suse.com/security/cve/CVE-2014-9365.html

If having an opt-in backwards-compatible-by-default approach available
(albeit as a PEP 466+476+493 patch set in the RHEL/CentOS system
Python 2.7.5 package) prompts other distro security teams to
reconsider those initial assessments, that would be a nice outcome,
but it isn't my own main priority (so Guido makes a good point in
favouring finding a non-Red-Hatter willing to act as BDFL-Delegate)

Regards,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia