[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Cory Benfield cory at lukasa.co.uk
Thu Jun 1 07:01:41 EDT 2017

> On 1 Jun 2017, at 11:39, Antoine Pitrou <solipsis at pitrou.net> wrote:
> On Thu, 1 Jun 2017 11:22:21 +0100
> Cory Benfield <cory at lukasa.co.uk> wrote:
>> Who is the “we” that should move on? Python core dev? Or the Python ecosystem?
> Sorry.  Python core dev certainly.  As for the rest of the ecosystem, it
> is moving on as well.

Moving, sure, but slowly. Again, I point to the 80% download number.

>> Requests is stuck in a place from which it cannot move.
>> We feel we cannot drop 2.7 support. We want to support as many TLS
>> backends as possible.
> Well, certain features could be 3.x-only, couldn't they?

In principle, sure. In practice, that means most of our users don’t use those features and so we don’t get any feedback on whether they’re good solutions to the problem. This is not great. Ideally we want features to be available across as wide a deploy base as possible, otherwise we risk shipping features that don’t solve the actual problem very well. Good software comes, in part, from getting user feedback.

>> We want to enable the pip developers to focus on
>> their features, rather than worrying about HTTP and TLS. And we want
>> people to adopt the async/await keywords as much as possible.
> I don't get what async/await keywords have to do with this.  We're
> talking about backporting the ssl memory BIO object…

All of this is related. I wrote a very, very long email initially and deleted it all because it was just too long to expect any normal human being to read it, but the TL;DR here is that we also want to support async/await, and doing so requires a memory BIO object.

>> I want to move on, but I want to bring that 80% of our userbase with us when we do. My reading of your post is that you would rather Requests not adopt the async/await paradigm than backport MemoryBIO: is my understanding correct?
> Well you cannot use async/await on 2.7 in any case, and you cannot use
> asyncio on 2.7 (Trollius, which was maintained by Victor, has been
> abandoned AFAIK).  If you want to use coroutines in 2.7, you need to
> use Tornado or Twisted.  Twisted may not, but Tornado works fine with
> the stdlib ssl module.

I can use Twisted on 2.7, and Twisted has great integration with async/await and asyncio when they are available. Great and getting greater, in fact, thanks to the work of the Twisted and asyncio teams.

As to Tornado, the biggest concern there is that there is no support for composing the TLS over non-TCP sockets as far as I am aware. The wrapped socket approach is not suitable for some kinds of stream-based I/O that users really should be able to use with Requests (e.g. UNIX pipes). Not a complete non-starter, but also not something I’d like to forego.


More information about the Python-Dev mailing list