[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
Barry Warsaw
barry at python.org
Mon Nov 23 20:59:06 EST 2015
On Nov 24, 2015, at 10:18 AM, Nick Coghlan wrote:
>Since we already know Red Hat are OK with the draft recommendations,
>and I missed the RHEL 7.2 release date anyway, perhaps Barry or
>Matthias might be interested in tilting at the Ubuntu 14.04 LTS stable
>release update windmill? I know there was previously a decision from
>Ubuntu Security not to backport PEPs 466 & 476 to 2.7.5 due to the
>stability risks [1], but the configuration file based approach
>recommended in PEP 493 is backwards compatible by default
Right, but this isn't a patch we'd particularly want to carry ourselves.
Maybe if it were available upstream, tried and tested, it could be considered
for backporting, but it still wouldn't be zero cost. We'd have to also handle
migration paths to newer Ubuntu releases, which probably means removing the
config file on future upgrades. There's also the possibility of implementing
different defaults on new installs of 14.04 versus upgrades to 14.04. And
even if a system administrator enabled it for one particular application, it
could break other applications on the same machine, so it just punts a
difficult decision down the line.
We're also not seeing much (any?) demand from our users, and the initial
attempt at turning this on by default *did* get a strong negative reaction
because of the compatibility break.
I'm concerned about accepting PEP 493 making a strong recommendation to
downstreams. Yes, in an ideal world we all want security by default, but I
think the backward compatibility concerns of the PEP are understated,
especially as they relate to a maintenance release of a stable long term
support version of the OS. I don't want PEP 493 to be a cudgel that people
beat us up with instead of having an honest discussion of the difficult
trade-offs involved.
Having said all that, I think informing people of the issue, and letting any
future reconsideration be demand driven is the right approach for now.
$0.02-ly y'rs,
-Barry
More information about the Python-Dev
mailing list