[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Cory Benfield cory at lukasa.co.uk
Thu Jun 1 10:09:41 EDT 2017


> On 1 Jun 2017, at 14:53, Antoine Pitrou <solipsis at pitrou.net> wrote:
> 
> On Thu, 1 Jun 2017 14:37:55 +0100
> Cory Benfield <cory at lukasa.co.uk> wrote:
>>> 
>>> And indeed it doesn't.  Unless the target user base for pip is widely
>>> different than Python's, it shouldn't cause you any problems either.  
>> 
>> Maybe not now, but I think it’s fair to say that it did, right?
> 
> Until Python 3.2 and perhaps 3.3, yes. Since 3.4, definitely not.  For
> example asyncio quickly grew a sizable community around it, even though
> it had established Python 2-compatible competitors.

Sure, but “until 3.2” covers a long enough time to take us from now to “deprecation of Python 2”. Given that the Requests team is 4 people, unlike python-dev’s much larger number, I suspect we’d have at least as much pain proportionally as Python did. I’m not wild about signing up for that.

>>> Then the PEP is really wrong or misleading in the way it states its own
>>> motivations.  
>> 
>> How so?
> 
> In the sentence "There are plans afoot to look at moving Requests to a
> more event-loop-y model, and doing so basically mandates a MemoryBIO",
> and also in the general feeling it gives that the backport is motivated
> by security reasons primarily.

Ok, let’s address those together.

There are security reasons to do the backport, but they are “it helps us build a pathway to PEP 543”. Right now there are a lot of people interested in seeing PEP 543 happen, but vastly fewer in a position to do the work. I am, but only if I can actually use it for the things that are in my job. If I can’t, then PEP 543 becomes an “evenings and weekends” activity for me *at best*, and something I have to drop entirely at worst.

Adopting PEP 543 *would* be a security benefit, so while this PEP itself is not directly in and of itself a security benefit, it builds a pathway to something that is.

As to the plans to move Requests to a more event loop-y model, I think that it does stand in the way of this, but only insomuch as, again, we want our event loopy model to be as bug-free as possible. But I can concede that rewording on that point would be valuable.

*However*, it’s my understanding that even if I did that rewording, you’d still be against it. Is that correct? 

Cory



More information about the Python-Dev mailing list