[Security-sig] Policy PEP (was Re: RFC: PEP: Make os.urandom() blocking on Linux)
Victor Stinner
victor.stinner at gmail.com
Fri Jun 24 19:26:19 EDT 2016
2016-06-24 16:01 GMT+02:00 Barry Warsaw <barry at python.org>:
> One thing I think such an informational PEP must require is a rationale as to
> why the issue is being classified as a security bug, a backporting rationale
> and plan, and a "Backwards Compatibility Impact Assessment", which I'm very
> glad to see in PEP 522.
Sorry, I didn't have time yet to think about Python 2.7 and Python
3.5. But it looks like my PEP (make os.urandom() blocking) and Nick's
PEP 522 (os.urandom() can raises BlockingIOError) introduce a backward
incompatible change. Applications which worked well on Python 3.5 may
block/fail with these changes.
I'm not sure that it's worth it to enhance Python 2.7 or 3.5. IMO
discussed changes make Python more secure, but they don't really fix a
critical vulnerability.
I don't think that it's a security vulnerability. I prefer to qualify
it as an enhancement, security "hardening" if you pefer.
Victor
More information about the Security-SIG
mailing list