[Python-Dev] Python 2.7 patch levels turning two digit
"Martin v. Löwis"
martin at v.loewis.de
Mon Jun 23 08:09:32 CEST 2014
> * Is it a good strategy to ship to Python releases for every
> single OpenSSL security release or is there a better way to
> handle these 3rd party issues ?
At least for Windows, a new release certainly needs to be made.
It could be possible to produce MSI patch files, but this would
still be a new release.
> I think we should link to the OpenSSL libs dynamically rather
> than statically in Python 2.7 for Windows so that it's possible
> to provide drop-in updates for such issues.
It is possible to provide drop-in updates regardless of whether the
OpenSSL libs are dynamically linked, as the _ssl module itself is a
dynamic lib.
> * Should we try to avoid two digit patch level release numbers
> by using some other mechanism such as e.g. a release date
> after 2.7.9 ?
If it was for me, then yes, certainly: the development of 2.7 should
just stop :-)
> * Should we make use of the potential breakage with 2.7.10
> to introduce a new Windows compiler version for Python 2.7 ?
Assuming it is a good idea to continue producing Windows binaries
for 2.7, I think it would be a bad idea to switch compilers. It will
cause severe breakage of 2.7 installations, much more problematic
than switching to two-digit version numbers.
Regards,
Martin
More information about the Python-Dev
mailing list