[Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
Steve Dower
steve.dower at python.org
Thu Sep 6 15:10:33 EDT 2018
On 06Sep2018 0758, Victor Stinner wrote:
> Are you volunteer to fix the XML modules?
If Christian is not able to keep maintaining the defused* packages, then
I may take a look at this next week at the sprints. The built-in XML
packages actually don't meet Microsoft's internal security requirements,
so I have some business motivation to do it. Hopefully it doesn't turn
me into the sole XML maintainer...
Ultimately, however, I think we're looking at technically incompatible
design changes, which is why simply dropping in a "fix" for 3.4 would
not work whereas adding new options (with more secure defaults) may work
for 3.8.
So I'm agreed with nearly everyone else - bugs should stay open as long
as we're interested in taking a fix, even if they've already been open
for a long time. Our issue tracker is a backlog, not a plan, so there is
no penalty for something sitting in there for a long time.
Cheers,
Steve
More information about the Python-Dev
mailing list