[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
Christian Heimes
christian at python.org
Tue Nov 24 07:53:48 EST 2015
On 2015-11-24 01:18, Nick Coghlan wrote:
> On 24 November 2015 at 05:35, Christian Heimes <christian at python.org> wrote:
>> On 2015-11-17 01:00, Guido van Rossum wrote:
>>> Hm, making Christian the BDFL-delegate would mean two out of three
>>> authors *and* the BDFL-delegate all working for Red Hat, which clearly
>>> has a stake (and IIUC has already committed to this approach ahead of
>>> PEP approval). SO then it would look like this is just rubber-stamping
>>> Red Hat's internal decision process (if it's a process -- sounds more
>>> like an accident :-).
>>>
>>> So, Alex, do you want to approve this PEP?
>>
>> I haven't read this thread until now. Independently from your objection
>> I have raised the same concern with Nick today. I'd be willing to BDFL
>> the PEP but I'd rather have somebody outside of Red Hat.
>
> Likewise, but the intersection between "wants to get PEP 476 into the
> hands of as many system operators as possible as soon as possible",
> "is a CPython core developer", and "doesn't work for Red Hat" is
> looking to be a rather select group :)
Right, with Antoine and Alex out of scope and you, Victor and me working
for Red Hat, the air is getting thin. Benjamin is familiar with the ssl
module. Or we can follow Alex's advice and ask somebody from the PyCA
group (Donald, Paul, lvh) or requests (Cory) to get some outside
perspective.
> Since we already know Red Hat are OK with the draft recommendations,
> and I missed the RHEL 7.2 release date anyway, perhaps Barry or
> Matthias might be interested in tilting at the Ubuntu 14.04 LTS stable
> release update windmill? I know there was previously a decision from
> Ubuntu Security not to backport PEPs 466 & 476 to 2.7.5 due to the
> stability risks [1], but the configuration file based approach
> recommended in PEP 493 is backwards compatible by default, with the
> decision to opt in to the improved settings after upgrading current
> systems being made by system administrators rather than the distro
> vendor. With around 3 1/2 years still to run on 14.04's support
> lifecycle, that has the potential to reach quite a few systems that
> otherwise wouldn't benefit from the change until well after Ubuntu
> 16.04 is released next year.
Yes, that makes a lot of sense.
Christian
More information about the Python-Dev
mailing list