[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Paul Moore p.f.moore at gmail.com
Thu Jun 8 15:35:34 EDT 2017

On 8 June 2017 at 17:40, Steve Dower <steve.dower at python.org> wrote:
> I'm just going to straight up admit that I've lost track of the point of
> this thread.

You have my sympathies - I'm not really following it either :-(

> It sounds like we don't *need* to backport any of ssl into the Python 2.7
> standard library, as long as we can bundle a 3rd-party backport for pip?

My understanding is that the PEP is asking to backport a new feature.
The problem is that as a new feature, this received some (justifiable)

The arguments for why this new feature is needed then got messy - as I
understand it, it's something to do with how the requests library
moves forward - they are blocked from supporting newer async features
from 3.x because they need to support 2.7. This feature would relieve
that logjam for them. Obviously, as a 3rd party library, their issues
aren't particularly compelling for the stdlib - but because pip uses
requests, and pip is shipped with Python, things get complicated.

> I assume that, at a high level, the operation needed is to download content
> over https using the system trust stores. Is that what we're trying to
> achieve here?
> If it is, can we just provide an enhanced urlretrieve()? Certainly on
> Windows, and presumably on macOS, it's much easier to do the high-level GET
> operation than to reimplement it using primitives.

The problem is that pip uses more features of requests than just
issuing GET requests. We aren't going to be in a position to switch to
a simple urlretrieve operation, even as some sort of fallback. What
I'm personally not at all clear on is why we can't just ship a version
of pip that supports 2.7 with 2.7, and a later version with 3.x. That
doesn't make the problem for pip and requests any easier, but it does
make it not python-dev's problem.

The issue is that the gulf between 2.7 and 3.x is getting wider, and
it's starting to cause real pain to 3rd party projects like requests.
Does that justify backporting this specific feature to 2.7? I don't

Note that I haven't actually read the original PEP. I don't have a
view on networking issues, security, or Python 2.7 support. So I
didn't really feel the need to more than skim this thread. My only
interest really is where pip gets involved - and that's where I get
confused as I don't really see why (ensure)pip makes the problem so
much more complicated.


PS I'd be amazed if my summary above isn't wrong in at least some key
points. Corrections welcome!

More information about the Python-Dev mailing list