[python-committers] "Gratuitous"? incompatibilities in the "fix only" releases

Guido van Rossum guido at python.org
Wed Jul 29 18:50:27 CEST 2015 

I believe that in this particular case, the bug was fixed (by tightening
the requirements for headers) because the bug can lead to security
vulnerabilities. I think you can find more by Googling for keywords like
"http header injection". The more recent Python 2.7 bugfix releases have
specific exemptions from the backwards compatibility requirements for
security fixes -- because their lifespan will still be many years (EOL of
2.7 is summer 2020).

On Wed, Jul 29, 2015 at 6:06 PM, Jesus Cea <jcea at jcea.es> wrote:

> Yesterday I upgraded one of my computer to 2.7.10 and a program working
> for years failed.
>
> The problem is this:
>
> """
> http=httplib.HTTPConnection("127.0.0.1",8081)
> http.request("GET","/XXXXX/%f" %last_t, "", \
>   {"Authorization":"Basic %s" %base64.encodestring("%s:%s" %(a,b))})
> """
>
> base64.encodestring() creates base64 encoding with a final '\n'. This
> used to work until 2.7.9 but 2.7.10 if failing now with an exception
> about an "illegal character" in a header.
>
> I know that that code is faulty and I should drop the final '\n' or just
> use "base64.b64encode()" (my current fix). The point, thought, it that
> this code used to work in previous 2.7 releases but it is failing under
> 2.7.10.
>
> This incompatible change will be released in 3.4.4 too.
>
> I agree that new code is better, no argument here. My program was
> incorrect, sure. But I was under the impression that backwards
> incompatible code was forbidden in minor releases, except for very
> critical reasons (like the HTTPS security default backported to 2.7). I
> think that breaking working code during minor updates is risky and
> breaks user/programmer expectations.
>
> The change was done in <https://bugs.python.org/issue22928>.
>
> I think the change is the way to go, I don't ask for a revert (since
> 2.7.10 is already in the wild I want to keep it too in future 3.4.4) but
> I am interested in knowing the official statement of committers about
> backwards incompatible changes in minor releases for my own future
> reference.
>
> Sorry if this email seems confrontational. Not my intention, but my
> English is getting worse by the day :-). This is an inquiry about
> policy, not an attack.
>
> Thanks!
>
> --
> Jesús Cea Avión                         _/_/      _/_/_/        _/_/_/
> jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
> Twitter: @jcea                        _/_/    _/_/          _/_/_/_/_/
> jabber / xmpp:jcea at jabber.org  _/_/  _/_/    _/_/          _/_/  _/_/
> "Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
> "My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
>
>
> _______________________________________________
> python-committers mailing list
> python-committers at python.org
> https://mail.python.org/mailman/listinfo/python-committers
>
>


-- 
--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-committers/attachments/20150729/dc0763c7/attachment.html>

More information about the python-committers mailing list