On 22.01.2014 13:43, Jesse Noller wrote: >> Well, it's not really a security issue, since the security features >> are present in Python 3.4. It's just that the user has to enable them. > > I have to concur with Donald here - in the case of security, especially > language security which directly impacts the implicit security of downstream > applications, I should not have to opt in to the most secure defaults. > > Yes; this potentially breaks applications relying on insecure / loose > defaults. However it changes the model to "you are by default, explicitly > secure" then relying on the domain knowledge of an application developer to > harden their application. > > When, if this changes, an application breaks, it will be in a plainly obvious > way which can quickly be resolved.
The "can quickly be resolved" is the issue... > Donald is perfectly right: today, it's trivial to MITM an application that > relies off of the current behavior; this is bad news bears for users and > developers as it means they need domain knowledge to secure their > applications by default they may not have. I don't think you need much domain knowledge to insert a single line of code into applications to enable the checks. Using an environment switch the extra checks could even be enabled without any code changes. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 22 2014) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
