Thought: what if there's a label on the bug tracker meaning roughly "we're probably not going to fix this anytime soon, but we won't mind someone stepping up"?
On Thu, Sep 6, 2018, 10:04 AM Guido van Rossum <gu...@python.org> wrote: > FWIW I'm with Antoine here -- XML is still important and I'd like us to go > the extra mile here, not just give up because the issues have been inactive > for a long time. We can't control what PyYAML does, but for the stdlib XML > code, the buck stops here, and we should do the responsible thing. > > On Thu, Sep 6, 2018 at 7:49 AM Antoine Pitrou <anto...@python.org> wrote: > >> >> Le 06/09/2018 à 16:40, Victor Stinner a écrit : >> > Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <solip...@pitrou.net> a >> écrit : >> >> If we consider fixing these issues to be desirable, then the issues >> >> should be kept open. Closing issues because no-one is working on them >> >> sounds a bit silly to me. >> > >> > I forgot to mention that closing these issues is my reply to Larry's >> > call to fix 3 security issues: >> > >> > >> https://mail.python.org/pipermail/python-committers/2018-August/006031.html >> > >> > Larry wrote "If they're really all wontfix, maybe we should mark them >> > as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature." >> >> "wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8. >> >> > For these XML issues, the security vulnerabilities can also been seen >> > as XML features. Loading an external DTD is part of the XML >> > specification, as well as entity expansion. >> >> That doesn't mean there shouldn't be any hard limits to expansion depth >> or breadth. >> >> Function calls are a Python feature, yet we limit the amount of >> recursion allowed. >> >> Regards >> >> Antoine. >> _______________________________________________ >> Python-Dev mailing list >> Python-Dev@python.org >> https://mail.python.org/mailman/listinfo/python-dev >> > Unsubscribe: >> https://mail.python.org/mailman/options/python-dev/guido%40python.org > > >> > > -- > --Guido van Rossum (python.org/~guido) > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/rymg19%40gmail.com > -- Ryan (ライアン) Yoko Shimomura, ryo (supercell/EGOIST), Hiroyuki Sawano >> everyone else https://refi64.com/
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
