On 7/29/2015 1:01 PM, Robert Collins wrote:
On 30 July 2015 at 04:50, Guido van Rossum <gu...@python.org> wrote:
I believe that in this particular case, the bug was fixed (by tightening the
requirements for headers) because the bug can lead to security
vulnerabilities. I think you can find more by Googling for keywords like
"http header injection". The more recent Python 2.7 bugfix releases have
specific exemptions from the backwards compatibility requirements for
security fixes -- because their lifespan will still be many years (EOL of
2.7 is summer 2020).
Yeah - this is a security issue, and unfortunately its one that can
break programs [or rather, expose how they were broken already at an
earlier and less susceptible point].
As a new committer, I'd like to double check my understanding of the policy:
https://docs.python.org/devguide/devcycle.html#maintenance-branches
"...
The only changes allowed to occur in a maintenance branch without
debate are bug fixes. Also, a general rule for maintenance branches is
that compatibility must not be broken at any point between sibling
minor releases (3.4.1, 3.4.2, etc.).
Since bug fixes break code that depends on the bug (as happened in this
case), the second rule appears to be written too strongly. It really
needs a short paragraph. Bug fixes should only break code depending on
the bug. Bug fixes must not change existing non-buggy features and
should not introduce new features. Non-security bug fixes that break
too much code deemed to be reasonable are sometimes deferred to the next
release.
> For both rules, only rare
exceptions are accepted and must be discussed first."
Where should these things be discussed? I've been discussing with
other committers on the issues in the issue tracker. Is this
sufficient? What is the social norm?
Feature additions like adding a new parameter to fix a bug should be
discussed on pydev. For instance, difflib.SequenceMatcher gained the
autojunk parameter in 2.7.1. I believe the pydev discussion included
"Is the issue a bug?" (yes) and "Does it need fixing in the current
release?" (yes, it generated multiple bug reports). I believe being
early in the long 2.7.x series and the last change to fix in 2.x played
a role.
Terry
_______________________________________________
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
