[Python-Dev] [python-committers] Proposed release schedule for Python 3.5.4

Brett Cannon brett at python.org
Thu Jun 22 11:56:29 EDT 2017


On Thu, 22 Jun 2017 at 02:32 Larry Hastings <larry at hastings.org> wrote:

>
>
> On 06/22/2017 01:04 AM, Victor Stinner wrote:
>
> About the cipher list in ssl, the change itself is simple but it's to
> blacklist DES and 3DES since it has been proved that these ciphers are
> really too weak nowadays:
>
> http://python-security.readthedocs.io/vuln/cve-2016-2183_sweet32_attack_des_3des.html
>
>
> Not "blacklist"--IIUC the user can still manually specify whatever cipher
> suites they like.  And not DES... who knows how long ago that was removed
> from the list.
>
> This change in 3.4 removes 3DES from the *default* permissible cipher
> list, changing those entries to use "HIGH cipher suites" instead (OpenSSL's
> term for "cipher suites with key sizes >= 128 bytes").  It also adds
> ChaCha20 to the default cipher list.
>
>
>
> By the way, is Larry the only one to be able to merge changes in 3.4?
> Before GitHub, all core dev were technically allowed to push in
> security-only branches.
>
>
> Oh?  Am I? **insert evil laugh** Ladies and gentlemen, get out your
> checkbooks!  3.4 is about to get... expensive.
>
> Seriously, though, I was mostly hoping other people would handle the
> security stuff and just keep me informed.  If I'm the only one permitted to
> accept PRs into 3.4 (and soon 3.5), okay, I can work with that.  I'm still
> probably gonna delegate the actual judgment of the validity of the PRs.
> But obviously it'll mean I'll have to be more hands-on, where so far I was
> assuming I could just let other people handle it.
>

Currently the security-only branches are set so that only release managers
can merge PRs since they technically are on the hook if some compatibility
breaks due to some patch (e.g. I expect Ned to use this for 3.7 once we hit
rc to really control what goes in last minute). It's easy enough to turn
this protection off, though, if people want.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170622/44505744/attachment.html>


More information about the Python-Dev mailing list