[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

Donald Stufft donald at stufft.io
Thu Jun 8 15:51:24 EDT 2017


> On Jun 8, 2017, at 3:37 PM, Donald Stufft <donald at stufft.io> wrote:
> 
> So basically back porting MemoryBio unlocks two important things for the health of the Python ecosystem:
> 
> * Allows forward progress on PEP 543, which provides a wealth of great benefits like using the platform trust model and removing the need for pip, requests, etc to bundle a CA bundle internally and removing the need (long term anyways) for Python to ship a copy of OpenSSL on platforms that don’t provide it.
> * Allows requests and other libraries to continue to straddle the 2.x/3.x line where they need to, while still providing people who are using Python 3.x a way to use asyncio without having to fork the entire ecosystem into having an aio* copy of every single network library that exists.


Sorry I forgot one other important benefit:

* It reduces the delta between the 3.x and the 2.x ssl and _ssl modules, which makes actually maintaining those modules easier because this code is fiddly and hard to get right, so the more we can just directly backport security fixes from one to the other rather than having to rewrite the patch, the better off we are.

And the downside here is pretty small honestly?

It’s not changing behavior of anything that currently exists since it’s adding a new thing inside the ssl module and Alex has already written the patch so there’s little extra work to do and it actually makes maintenance easier since patches can more readily be applied straight from `master`.

The primary argument I can see against it, is one of purity, that 2.7 shouldn’t get new features but as we know, practicality beats purity ;) (and we’ve already accepted that TLS is a special case, special enough to break the rules, so the main question is whether this specific thing is worthwhile— which given it’s benefits to the Python ecosystem and to maintaining Python, I think it is).

—
Donald Stufft



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170608/c96dbb4c/attachment-0001.html>


More information about the Python-Dev mailing list