[Python-Dev] Branches in which to fix the SSL tests

Ned Deily nad at python.org
Thu Jan 7 01:52:17 EST 2016 

On Jan 6, 2016, at 23:17, Guido van Rossum <guido at python.org> wrote:
> On Wed, Jan 6, 2016 at 7:06 PM, Martin Panter <vadmium+py at gmail.com> wrote:
> Currently some SSL tests in the test suite are broken by a recent
> certificate change at https://svn.python.org/; see
> <https://bugs.python.org/issue25940> for the bug report. The tests are
> broken when the test suite is run with the “-unetwork” option enabled,
> and most of the buildbots appear to be affected. (In 3.6 the tests
> have temporarily been disabled as a workaround.) I have a simple patch
> that subsitutes the old root certificate for the new which I would
> like to commit, but I’m not sure which branches to apply it to, or
> even which branches are open to normal maintainence and bug fixes.
> 
> According to Larry
> <https://mail.python.org/pipermail/python-dev/2015-December/142566.html>,
> 3.4.4 was the last bug fix release for 3.4, so I assumed the 3.4
> branch should now be in security-fixes-only mode. However this branch
> still seems to get a lot of non-security action, for example the most
> recent bunch of changes were some work on the provisional “pathlib”
> module. So firstly I would like some clarification on the status of
> 3.4 and what its future is.
> 
> To me Larry's email mainly indicates that we're not going to do more binary releases in the 3.4 branch. The work I did on pathlib is probably never going to be released in that branch -- but since I merged it into 3.5 it's not going to waste, and the effort was pretty minimal. (And people *could* still pick it up from the source.)
>  
> Secondly, I would normally say a fix for the test suite isn’t really
> appropriate for the older security branches. But in the bug report,
> Koobs specifically requested this be fixed in 3.4 and possibly earlier
> branches as well. What do others think about this?
> 
> It should definitely be fixed in 2.7, 3.5 and 3.6. If you want to do it in 3.4 too that sounds totally fine (it's just one extra merge).

The Developer's Guide describes current practices for backporting of fixes to security-fix branches (https://docs.python.org/devguide/devcycle.html#security-branches):

"The only changes made to a security branch are those fixing issues exploitable
by attackers such as crashes, privilege escalation and, optionally, other
issues such as denial of service attacks.  Any other changes are
**not** considered a security risk and thus not backported to a security branch."

Benjamin brings up a good point, though, about the importance of fixing hard-failures in the test suite.  I've added the following to the above paragraph in the guide:

"You should also consider fixing hard-failing tests in open security branches
since it is important to be able to run the tests successfully before releasing."

Also, I've tried to update the information in the Developer's Guide regarding branches and releases to match the current state of the world, e.g. 3.6 is the feature release under development, 3.5 and 2.7 are the current maintenance branches, and the current security-fix-only branches are 3.4, 3.3, and (for one more month) 3.2.  (The web site should update within the next day.)

Hope that helps!

--Ned

--
  Ned Deily
  nad at python.org -- []

More information about the Python-Dev mailing list