Re: [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
Le jeu. 6 sept. 2018 à 21:10, Steve Dower a écrit : > If Christian is not able to keep maintaining the defused* packages, then > I may take a look at this next week at the sprints. The built-in XML > packages actually don't meet Microsoft's internal security requirements, > so I have some business motivation to do it. Great! The best would be to be able to merge defuse* features into the stdlib. Maybe not change the default, but add an option to enable security counter-measures. Victor ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
On 2018-09-06 17:03, Guido van Rossum wrote: > FWIW I'm with Antoine here -- XML is still important and I'd like us to > go the extra mile here, not just give up because the issues have been > inactive for a long time. We can't control what PyYAML does, but for the > stdlib XML code, the buck stops here, and we should do the responsible > thing. Back in the days, I didn't push hard for the necessary fixes, because all fixes were breaking changes. After all I'd have to disable some features that people may have relied upon. The XML security stuff was my first major security topic for Python, even before SipHash24. I was more concerned not to break people's software than to keep the majority of users safe. I have changed my opinion over the last six, seven years. By the way I couldn't fix some problems in Python and our expat wrapper either. The expat parser was missing features to properly implement security measurements. I need to check if expat has been improved over the years. The topic is on the agenda for the core dev sprint. Christian ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
Le ven. 7 sept. 2018 à 10:23, Christian Heimes a écrit : > Back in the days, I didn't push hard for the necessary fixes, because > all fixes were breaking changes. After all I'd have to disable some > features that people may have relied upon. The XML security stuff was my > first major security topic for Python, even before SipHash24. I was more > concerned not to break people's software than to keep the majority of > users safe. I have changed my opinion over the last six, seven years. I understood that Python 2.7.9 which required a valid TLS certificate annoyed many customers. So I don't think that it would be a good idea to enforce XML security in a minor Python release. But would it make sense to make XML stricter in Python 3.8 and add an option to opt-out? Or do we need a cycle of 1.5 year (Python 3.8) with a warning, and change the default in the next cycle? > The topic is on the agenda for the core dev sprint. Great :-) Thanks are moving on. Victor ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
* Victor Stinner , 2018-09-06, 16:40: I'm also dubious about PyYAML which allows to run arbitrary Python code in a configuration *by default*. But well, it seems like nobody stepped in to change the default. PyYAML maintainers intend to change the default soon: https://github.com/yaml/pyyaml/issues/207 -- Jakub Wilk ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] Fwd: We cannot fix all issues: let's close XML security issues (not fix them)
Thank you Victor. XML support in Python is critical and desired for many sectors like banking or telecoms, and code base based on XML is still on rise in such world. That's why keeping such bugs open is important, as it is not impossible that someone (banks, telecoms, google camps, government grants) would simply fund small project aiming at fixing those bugs in XML. We never know. Beginning of forwarded message 07.09.2018, 09:03, "Victor Stinner" : Le jeu. 6 sept. 2018 à 21:10, Steve Dower a écrit : > If Christian is not able to keep maintaining the defused* packages, then > I may take a look at this next week at the sprints. The built-in XML > packages actually don't meet Microsoft's internal security requirements, > so I have some business motivation to do it. Great! The best would be to be able to merge defuse* features into the stdlib. Maybe not change the default, but add an option to enable security counter-measures. Victor ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/pms.coder%40yandex.ru End of forwarded message ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Fwd: We cannot fix all issues: let's close XML security issues (not fix them)
Le ven. 7 sept. 2018 à 17:02, PMS PMS a écrit : > XML support in Python is critical and desired for many sectors like banking > or telecoms, > and code base based on XML is still on rise in such world. Would it be possible to send money to the PSF? I'm sure that the PSF will be able to find you a developer able to quickly fix these XML issues! Victor ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Fwd: We cannot fix all issues: let's close XML security issues (not fix them)
@VictorStinner snif, que dire? il me semble que cet issue ait pris une nouvelle dimension @appinv Abdur-Rahmaan Janhangeer https://github.com/Abdur-rahmaanJ Mauritius ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] Summary of Python tracker Issues
ACTIVITY SUMMARY (2018-08-31 - 2018-09-07) Python tracker at https://bugs.python.org/ To view or respond to any of the issues listed below, click on the issue. Do NOT respond to this message. Issues counts and deltas: open6841 (+13) closed 39517 (+38) total 46358 (+51) Open issues with patches: 2729 Issues opened (40) == #34557: When sending binary file to a Microsoft FTP server over FTP TL https://bugs.python.org/issue34557 opened by James Campbell2 #34559: multiprocessing AuthenticationError when nesting with non-defa https://bugs.python.org/issue34559 opened by natedogith1 #34560: Backport of uuid1() failure fix https://bugs.python.org/issue34560 opened by Riccardo Mottola #34561: Replace list sorting merge_collapse()? https://bugs.python.org/issue34561 opened by tim.peters #34562: cannot install versions 3.6.5+ on Windows https://bugs.python.org/issue34562 opened by Zyg #34564: Tutorial Section 2.1 Windows Installation Path Correction https://bugs.python.org/issue34564 opened by aperture #34565: Launcher does not validate major versions https://bugs.python.org/issue34565 opened by bgerrity #34568: Types in `typing` not anymore instances of `type` or subclasse https://bugs.python.org/issue34568 opened by pekka.klarck #34569: test__xxsubinterpreters.ShareableTypeTests._assert_values fail https://bugs.python.org/issue34569 opened by Michael.Felt #34570: Segmentation fault in _PyType_Lookup https://bugs.python.org/issue34570 opened by Pablosky #34572: C unpickling bypasses import thread safety https://bugs.python.org/issue34572 opened by tjb900 #34573: Simplify __reduce__() of set and dict iterators. https://bugs.python.org/issue34573 opened by sir-sigurd #34574: OrderedDict iterators are exhausted during pickling https://bugs.python.org/issue34574 opened by sir-sigurd #34575: Python 3.6 compilation fails on AppVeyor: libeay.lib was creat https://bugs.python.org/issue34575 opened by vstinner #34576: SimpleHTTPServer: warn users on security https://bugs.python.org/issue34576 opened by vstinner #34578: Pipenv lock : ModuleNotFoundError: No module named '_ctypes' https://bugs.python.org/issue34578 opened by Arselon #34579: test_embed.InitConfigTests fail on AIX https://bugs.python.org/issue34579 opened by Michael.Felt #34580: sqlite doc: clarify the scope of the context manager https://bugs.python.org/issue34580 opened by vigdis #34582: VSTS builds should use new YAML syntax and pools https://bugs.python.org/issue34582 opened by David Staheli #34583: os.stat() wrongfully returns False for symlink on Windows 10 v https://bugs.python.org/issue34583 opened by Isaac Shabtay #34584: subprocess https://bugs.python.org/issue34584 opened by JokeNeverSoke #34585: Don't use AC_RUN_IFELSE to determine float endian https://bugs.python.org/issue34585 opened by rossburton #34586: collections.ChainMap should have a get_where method https://bugs.python.org/issue34586 opened by Zahari.Dim #34587: test_socket: testCongestion() hangs on my Fedora 28 https://bugs.python.org/issue34587 opened by vstinner #34588: traceback formatting can drop a frame https://bugs.python.org/issue34588 opened by benjamin.peterson #34589: Py_Initialize() and Py_Main() should not enable C locale coerc https://bugs.python.org/issue34589 opened by vstinner #34590: "Logging HOWTO" should share an example of best practices for https://bugs.python.org/issue34590 opened by Nathaniel Manista #34591: smtplib mixes RFC821 and RFC822 addresses https://bugs.python.org/issue34591 opened by daurnimator #34592: cdll.LoadLibrary allows None as an argument https://bugs.python.org/issue34592 opened by superbobry #34595: PyUnicode_FromFormat(): add %T format for an object type name https://bugs.python.org/issue34595 opened by vstinner #34596: [unittest] raise error if @skip is used with an argument that https://bugs.python.org/issue34596 opened by Naitree Zhu #34597: Python needs to check existence of functions at runtime for ta https://bugs.python.org/issue34597 opened by Zorg #34598: How to fix? Error in Kali linux python 2.7 - Collecting pip Fr https://bugs.python.org/issue34598 opened by andy polandski #34600: python3 regression ElementTree.iterparse() unable to capture c https://bugs.python.org/issue34600 opened by Martin Hosken #34602: python3 resource.setrlimit strange behaviour under macOS https://bugs.python.org/issue34602 opened by marche147 #34603: ctypes on Windows: error calling C function that returns a str https://bugs.python.org/issue34603 opened by mattneri #34604: Possible mojibake in pwd.getpwnam and grp.getgrnam https://bugs.python.org/issue34604 opened by wg #34605: Avoid master/slave terminology https://bugs.python.org/issue34605 opened by vstinner #34606: Unable to read zip file with extra https://bugs.python.org/issue34606 opened by altendky #34607: test_multiprocessing_forkserver is altering the environment on https://bugs.python
Re: [Python-Dev] Fwd: We cannot fix all issues: let's close XML security issues (not fix them)
On 2018-09-07 17:46, Victor Stinner wrote: > Le ven. 7 sept. 2018 à 17:02, PMS PMS a écrit : >> XML support in Python is critical and desired for many sectors like banking >> or telecoms, >> and code base based on XML is still on rise in such world. > > Would it be possible to send money to the PSF? I'm sure that the PSF > will be able to find you a developer able to quickly fix these XML > issues! Feel free to send the money directly to me. After all I found the bugs, documented them, and fixed them in defusedxml. ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] We cannot fix all issues: let's close XML security issues (not fix them)
On 9/6/2018 11:05 AM, Ryan Gonzalez wrote: Thought: what if there's a label on the bug tracker meaning roughly "we're probably not going to fix this anytime soon, but we won't mind someone stepping up"? Not needed. Good patches are always welcome. And if there is no current PR or other information indicating otherwise, a fix 'soon' is usually unlikely. But what we mostly need is not more patches, but more reviews. Anyone can act like a core dev up to the point of actually pushing the green merge button. -- Terry Jan Reedy ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
