[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)

Steve Dower steve.dower at python.org
Thu Sep 6 15:10:33 EDT 2018

On 06Sep2018 0758, Victor Stinner wrote:
> Are you volunteer to fix the XML modules?

If Christian is not able to keep maintaining the defused* packages, then 
I may take a look at this next week at the sprints. The built-in XML 
packages actually don't meet Microsoft's internal security requirements, 
so I have some business motivation to do it. Hopefully it doesn't turn 
me into the sole XML maintainer...

Ultimately, however, I think we're looking at technically incompatible 
design changes, which is why simply dropping in a "fix" for 3.4 would 
not work whereas adding new options (with more secure defaults) may work 
for 3.8.

So I'm agreed with nearly everyone else - bugs should stay open as long 
as we're interested in taking a fix, even if they've already been open 
for a long time. Our issue tracker is a backlog, not a plan, so there is 
no penalty for something sitting in there for a long time.


More information about the Python-Dev mailing list