[Python-Dev] PEP 466: Proposed policy change for handling network security enhancements

R. David Murray rdmurray at bitdance.com
Mon Mar 24 15:21:50 CET 2014 

On Sun, 23 Mar 2014 21:31:12 -0400, Barry Warsaw <barry at python.org> wrote:
> On Mar 24, 2014, at 11:38 AM, Chris Angelico wrote:
> 
> >Easy. Just set PYTHONPATH to import the SEPython [1] lib ahead of the
> >standard lib. Then you can go back to the standard 2.7 (if you want
> >to) by unsetting PYTHONPATH.
> >
> >It'd be nice if SEPython defined a modified sys.version for clarity,
> >but otherwise, it'd be a vanilla Python 2.7.
> 
> That's certainly more in the direction of what I think is an appropriate
> upstream solution.
> 
> The thing is, there isn't one single "what's best for users" resolution.
> There are many, many competing requirements and I think it will be difficult
> to satisfy everyone.  I'm particularly sensitive to complaints of unexpected
> changes between micro releases.

In the context of that last sentence, I think it is worth noting the
stance that 3.4 is taking[*] about security backward compatibility,
since many people may not be aware of it (we only just finished making
the documentation clear).

If you use create_default_context() to get your context object, you get a
"best practices" level of security *that may change between maintenance
releases*.  If you want things to not change between maintenance releases,
you create your own context object and set its controls appropriately.

In other words, the programmer opts in to maintenance release security
improvements by using create_default_context.  I presume that whatever
comes out of this PEP will use the same approach.

Note: thanks again to Christian Heimes and Antoine Pitrou for this
work.  Without Christian's work, I think we wouldn't even be having
this conversation.  Antoine's earlier work laid essential groundwork,
but by itself I'm not sure that would have been enough to result in calls
for a backport.  It took both of them, with some help from others as well.

--David

[*] I actually don't know if this was discussed on python-dev previously
because I've got a backlog of messages I'm not caught up on.  If it
hasn't been, then doubly good to mention it now, since the first 3.4
maintenance release hasn't happened yet :)

More information about the Python-Dev mailing list