On 23 March 2014 at 04:32:17, Terry Reedy (tjre...@udel.edu(mailto:tjre...@udel.edu)) wrote: > Instead, I think the PEP should propose a special series of server > enhancement releases that are based on the final 2.7 maintenance release > (2.7.8 or 2.7.9) but which have have a different application-specific > enhancement policy.
This is an interesting idea. My biggest problem with it is that, at least with the ssl library, these aren’t server-only problems. If we suggest that they are, we end up in the same position we’re in right now (that is, hurting the internet). For example, Python 2.7’s ssl module lacks the OP_NO_COMPRESSION option for OpenSSL, meaning that the application is at the mercy of the server to determine whether it’s vulnerable to the CRIME attack. Given that all modern browsers already disable TLS compression, we can assume that lots of server admins haven’t bothered disabling it on their end. This leaves pretty much anyone using HTTPS, client or server, on Python 2.7 at risk of the CRIME attack. This isn’t a server-only problem, so I feel like limiting the fixes to a ‘server’ release is not good enough. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
