[Python-Dev] [python-committers] Proposed release schedule for Python 3.5.4
Larry Hastings
larry at hastings.org
Thu Jun 22 05:31:31 EDT 2017
On 06/22/2017 01:04 AM, Victor Stinner wrote:
> About the cipher list in ssl, the change itself is simple but it's to
> blacklist DES and 3DES since it has been proved that these ciphers are
> really too weak nowadays:
> http://python-security.readthedocs.io/vuln/cve-2016-2183_sweet32_attack_des_3des.html
Not "blacklist"--IIUC the user can still manually specify whatever
cipher suites they like. And not DES... who knows how long ago that was
removed from the list.
This change in 3.4 removes 3DES from the /default/ permissible cipher
list, changing those entries to use "HIGH cipher suites" instead
(OpenSSL's term for "cipher suites with key sizes >= 128 bytes"). It
also adds ChaCha20 to the default cipher list.
> By the way, is Larry the only one to be able to merge changes in 3.4?
> Before GitHub, all core dev were technically allowed to push in
> security-only branches.
Oh? Am I? **insert evil laugh** Ladies and gentlemen, get out your
checkbooks! 3.4 is about to get... expensive.
Seriously, though, I was mostly hoping other people would handle the
security stuff and just keep me informed. If I'm the only one permitted
to accept PRs into 3.4 (and soon 3.5), okay, I can work with that. I'm
still probably gonna delegate the actual judgment of the validity of the
PRs. But obviously it'll mean I'll have to be more hands-on, where so
far I was assuming I could just let other people handle it.
//arry/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170622/4b713053/attachment.html>
More information about the Python-Dev
mailing list