[Python-Dev] [python-committers] Proposed release schedule for Python 3.5.4

Larry Hastings larry at hastings.org
Thu Jun 22 05:31:31 EDT 2017



On 06/22/2017 01:04 AM, Victor Stinner wrote:
> About the cipher list in ssl, the change itself is simple but it's to 
> blacklist DES and 3DES since it has been proved that these ciphers are 
> really too weak nowadays:
> http://python-security.readthedocs.io/vuln/cve-2016-2183_sweet32_attack_des_3des.html

Not "blacklist"--IIUC the user can still manually specify whatever 
cipher suites they like.  And not DES... who knows how long ago that was 
removed from the list.

This change in 3.4 removes 3DES from the /default/ permissible cipher 
list, changing those entries to use "HIGH cipher suites" instead 
(OpenSSL's term for "cipher suites with key sizes >= 128 bytes").  It 
also adds ChaCha20 to the default cipher list.


> By the way, is Larry the only one to be able to merge changes in 3.4? 
> Before GitHub, all core dev were technically allowed to push in 
> security-only branches.

Oh?  Am I? **insert evil laugh** Ladies and gentlemen, get out your 
checkbooks!  3.4 is about to get... expensive.

Seriously, though, I was mostly hoping other people would handle the 
security stuff and just keep me informed.  If I'm the only one permitted 
to accept PRs into 3.4 (and soon 3.5), okay, I can work with that.  I'm 
still probably gonna delegate the actual judgment of the validity of the 
PRs.  But obviously it'll mean I'll have to be more hands-on, where so 
far I was assuming I could just let other people handle it.


//arry/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170622/4b713053/attachment.html>


More information about the Python-Dev mailing list