[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)

Victor Stinner vstinner at redhat.com
Fri Sep 7 04:27:49 EDT 2018

Le ven. 7 sept. 2018 à 10:23, Christian Heimes <christian at python.org> a écrit :
> Back in the days, I didn't push hard for the necessary fixes, because
> all fixes were breaking changes. After all I'd have to disable some
> features that people may have relied upon. The XML security stuff was my
> first major security topic for Python, even before SipHash24. I was more
> concerned not to break people's software than to keep the majority of
> users safe. I have changed my opinion over the last six, seven years.

I understood that Python 2.7.9 which required a valid TLS certificate
annoyed many customers. So I don't think that it would be a good idea
to enforce XML security in a minor Python release. But would it make
sense to make XML stricter in Python 3.8 and add an option to opt-out?
Or do we need a cycle of 1.5 year (Python 3.8) with a warning, and
change the default in the next cycle?

> The topic is on the agenda for the core dev sprint.

Great :-) Thanks are moving on.


More information about the Python-Dev mailing list