[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Cory Benfield cory at lukasa.co.uk
Thu Jun 1 11:01:54 EDT 2017


> On 1 Jun 2017, at 15:10, David Wilson <dw+python-dev at hmmz.org> wrote:

> Finding someone to audit the signature checking capabilities of [0] will
> have vastly lower net cost than getting the world into a situation where
> pip no longer runs on the >1e6 EC2 instances that will be running Ubuntu
> 14.04/16.04 LTS until the turn of the next decade.

So for the record I’m assuming most of the previous email was a joke: certainly it’s not going to happen. ;)

But this is a real concern that does need to be addressed: Requests can’t meaningfully use this as its only TLS backend until it propagates to the wider 2.7 ecosystem, at least far enough such that pip can drop Python 2.7 releases lower than 2.7.14 (or wherever MemoryBIO ends up, if backported). So a concern emerges: if you grant my other premises about the utility of the backport, is it worth backporting at all?

The answer to that is honestly not clear to me. I chatted with the pip developers, and they have 90%+ of their users currently on Python 2, but more than half of those are on 2.7.9 or later. This shows some interest in upgrading to newer Python 2s. The question, I think, is: do we end up in a position where a good number of developers are on 2.7.14 or later and only a very small fraction on 2.7.13 or earlier before the absolute number of Python 2 devs drops low enough to just drop Python 2?

I don’t have an answer to that question. I have a gut instinct that says yes, probably, but a lack of certainty. My suspicion is that most of the core dev community believe the answer to that is “no”. But I’d say that from my perspective this is the crux of the problem. We can hedge against this by just choosing to backport and accepting that it may never become useful, but a reasonable person can disagree and say that it’s just not worth the effort.

Frankly, I think that amidst all the other arguments this is the one that most concretely needs answering, because if we don’t think Requests can ever meaningfully rely on the presence of MemoryBIO on 2.7 (where “rely on” can be approximated to 90%+ of 2.7 users having access to it AND 2.7 still having non-trivial usage numbers) then ultimately this PEP doesn’t grant me much benefit.

There are others who believe there are a few other benefits we could get from it (helping out Twisted etc.), but I don’t know that I’m well placed to make those arguments. (I also suspect I’d get accused of moving the goalposts.)

Cory


More information about the Python-Dev mailing list