[Python-Dev] On "PEP 546 — Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7"

Nick Coghlan ncoghlan at gmail.com
Sat Jun 10 12:53:56 EDT 2017


On 10 June 2017 at 09:56, Benjamin Peterson <benjamin at python.org> wrote:
> The reason we're having this conversation at all is probably a matter of
> timing. If MemoryBIO was in Python 3 when PEP 466 was accepted, it surely
> would have come along for the ride to 2.7. I believe PEP 466 is generally
> considered to have produced positive results. PEP 546, carrying no breaking
> changes, is less risky than PEP 466.
>
> The reluctance to bend 2.7 rules is healthy. This PEP is part of the price
> we pay, though, for making a backwards-incompatible release. The security
> landscape has and will change over the 10+ python-dev-supported life span of
> 2.7. During that time, we have an obligation to keep Python 2 secure. Part
> of that is supporting modern security interfaces, which are features. This
> change is needed to make another stdlib feature, ensurepip (which is itself
> yet another 2.7.x backport) work well.
>
> Therefore, as 2.7 release manager, I'm accepting the PEP.

Thanks Benjamin.

I was just about to post in the other thread to say I thought this was
the right way to go, as I think our experience with PEP 476 (the
switch to validating HTTPS certificates by default) is illustrative
here: we (Red Hat) technically *didn't* backport that PEP as
originally written into RHEL (and hence into CentOS etc). Instead, we
had folks primarily from Red Hat, eGenix, and Canonical figure out the
variant covered in PEP 493 that eventually became the system Python
behaviour in RHEL 7.3+.

So even if we eventually decide we can't backport PEP 546 into the
RHEL system Python as written:

- it will still be in Ubuntu 18.04+
- it will still make its way into future versions of other long term
support distributions (whether community driven or commercial)
- it will still make its way into Red Hat Software Collections at some point
- we're still free to write a follow-up PEP for an opt-in
_ssl_backport bootstrapping module if/when there's a clearer benefit
to justify the additional effort

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia


More information about the Python-Dev mailing list