[Python-Dev] RFC: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7

[Jim Baker]

So we have two distinct changes that are proposed here:

1. Support alternative implementations of TLS instead of OpenSSL. In
particular this will enable the use of system trust stores for certificates.

2. Implement ABCs and concrete classes to support MemoryBIO, etc., from 3.7.

Supporting system trust stores is a valid security fix for 2.7, and I have
no such problem with such changes as long as they are narrowed to this
specific change.

But I object to a completely new feature being added to 2.7 to support the
implementation of event loop SSL usage. This feature cannot be construed as
a security fix, and therefore does not qualify as a feature that can be
added to CPython 2.7 at this point in its lifecycle.

The discussion that implementing such new features for 2.7 will improve
their adoption for Python 3 is a red herring. We could enumerate many such
features, but https://www.python.org/dev/peps/pep-0404/#upgrade-path is
rather clear here.

- Jim

On Wed, May 31, 2017 at 10:40 AM, Victor Stinner <victor.stinner at gmail.com>
wrote:

> 2017-05-31 17:45 GMT+02:00 Jim Baker <jim.baker at python.org>:
> > Given that this proposed new feature is for 2.7 to support event loop
> usage
> > and not a security fix, I'm -1 on this change. In particular, it runs
> > counter to the justification policy stated in PEP 466.
>
> Hum, it seems like the PEP 546 abstract is incomplete. The final goal
> of the PEP is to make Python 3 more secure thanks to all goodness of
> the PEP 543. The PEP 546 tries to explain why Python 2.7 is blocking
> the adoption of the PEP 543 in practice.
>
> Victor
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170531/d70ad0cc/attachment.html>