[Distutils] Announcement: TLSv1.2 will become mandatory in the future

[Nick Coghlan]

On 12 January 2017 at 13:47, Donald Stufft <donald at stufft.io> wrote:
> I don’t think it’s a particularly big deal to tie the tls module to the
> Python lifecycle though, we’ve got a precident for PEPs that backport
> important security critical stuff and most things are presumably going to be
> things that we don’t really even need a backport or a PEP for (I’m thinking
> things like ciphers and such). Particularly if this new thing is documented
> up front clearly what things you can depend on for compatibility (api and
> such) and what things can change in minor releases (keeping up with the
> security joneses stuff).
>
> I think the big thing that really killed the ssl module for so long in
> Python was the 2.x vs 3.x split with 2.7 living for a _very_ long time, and
> then no culture of back porting security important changes to it.

True, it took ~4 years for 2.7 to really fall unacceptably far behind
the state of the art, and even then it was as much about the lack of
SNI support as it was anything else.

If a new tls module started out with an API management policy that
allowed for new constants and for changes to the default security
settings in maintenance releases, then it would likely only need two
PEPs to define an effective rollout plan:

- one to add it to 3.7+
- one to backport the initial version to 2.7.x (and maybe the other
actively supported 3.x branches)

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia