On 23 March 2014 09:07, Donald Stufft <don...@stufft.io> wrote: > As someone who is deeply biased towards improving the packaging tool chain > and getting people to use it I think that most people will simply use the > Stdlib even if a more secure alternative exists. Infact one does exist and I > still see almost everyone using the stdlib ssl instead of pyopenssl. At best > they have an optional dependency on it which many people who aren't security > conscious won't even realize why they should install it.
I should probably mention explicitly in the PEP that security related packages almost always involve somewhat tricky binary dependencies, and while we're working on it, our packaging ecosystem will still sometimes deliver a poor user experience on that front. There's also an inherent divide between "using an old version of Python" and "willing to use new dependencies from pip". They're not disjoint sets (plenty of folks use the CentOS system Python + pip), but I expect there's a large enough population of conservative corporate users on older versions that won't use a pip based solution even if its available, thus not really solving the problem. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
