[python-committers] "Gratuitous"? incompatibilities in the "fix only" releases
Robert Collins
robertc at robertcollins.net
Wed Jul 29 19:31:42 CEST 2015
On 30 July 2015 at 05:20, Eric Snow <ericsnowcurrently at gmail.com> wrote:
>
> On Jul 29, 2015 11:08 AM, "Robert Collins" <robertc at robertcollins.net>
> wrote:
>>
>> On 30 July 2015 at 04:50, Guido van Rossum <guido at python.org> wrote:
>> > The more recent Python 2.7 bugfix releases have
>> > specific exemptions from the backwards compatibility requirements for
>> > security fixes -- because their lifespan will still be many years (EOL
>> > of
>> > 2.7 is summer 2020).
>> [snip]
>> https://docs.python.org/devguide/devcycle.html#security-branches
>> "...The only changes made to a security branch are those fixing issues
>> exploitable by attackers such as crashes, privilege escalation and,
>> optionally, other issues such as denial of service attacks. Any other
>> changes are not considered a security risk and thus not backported to
>> a security branch."
>>
>> This page doesn't specify the exception for 2.7, and by my poor
>> reading of it the http issue wouldn't pass muster - but I think it was
>> appropriate to apply. So I'm confused. Help :).
>
> See PEP 466.
>
> https://www.python.org/dev/peps/pep-0466/
Thanks - but that doesn't cover the 22928 fix as far as I can tell. It
explicitly says in fact that its not carte blanch, and that things
still need to be discussed....
and I'm still not clear where we should discuss them :)
-Rob
--
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud
More information about the python-committers
mailing list