[python-committers] "Gratuitous"? incompatibilities in the "fix only" releases

[Robert Collins]

On 30 July 2015 at 04:50, Guido van Rossum <guido at python.org> wrote:
> I believe that in this particular case, the bug was fixed (by tightening the
> requirements for headers) because the bug can lead to security
> vulnerabilities. I think you can find more by Googling for keywords like
> "http header injection". The more recent Python 2.7 bugfix releases have
> specific exemptions from the backwards compatibility requirements for
> security fixes -- because their lifespan will still be many years (EOL of
> 2.7 is summer 2020).

Yeah - this is a security issue, and unfortunately its one that can
break programs [or rather, expose how they were broken already at an
earlier and less susceptible point].

As a new committer, I'd like to double check my understanding of the policy:

https://docs.python.org/devguide/devcycle.html#maintenance-branches
"...
The only changes allowed to occur in a maintenance branch without
debate are bug fixes. Also, a general rule for maintenance branches is
that compatibility must not be broken at any point between sibling
minor releases (3.4.1, 3.4.2, etc.). For both rules, only rare
exceptions are accepted and must be discussed first."

Where should these things be discussed? I've been discussing with
other committers on the issues in the issue tracker. Is this
sufficient? What is the social norm?

https://docs.python.org/devguide/devcycle.html#security-branches
"...The only changes made to a security branch are those fixing issues
exploitable by attackers such as crashes, privilege escalation and,
optionally, other issues such as denial of service attacks. Any other
changes are not considered a security risk and thus not backported to
a security branch."

This page doesn't specify the exception for 2.7, and by my poor
reading of it the http issue wouldn't pass muster - but I think it was
appropriate to apply. So I'm confused. Help :).

-Rob