[Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
Guido and Antoine persuaded me that selective backports would be a better idea for the network security enhancements than the wholesale module backports previously suggested, while Alex and Donald provided the necessary additional details, so here's a revised version of the PEP. Despite making it more explicit, I deleted more lines than I added, strongly suggesting that switching to selective backports was the right call :) I dealt with the SSL module the way Donald suggested: excluding the RAND_* functions, rather than listing everything else. I also changed the headings to make it clear the listed alternatives were rejected ideas, made the footnotes a bit more readable, and tidied up the wording in a few places. Diff: http://hg.python.org/peps/rev/8527f6e2beb0 Web: http://www.python.org/dev/peps/pep-0466/ == PEP: 466 Title: Network Security Enhancement Exception for Python 2.7 Version: $Revision$ Last-Modified: $Date$ Author: Nick Coghlan ncogh...@gmail.com, Status: Draft Type: Informational Content-Type: text/x-rst Created: 23-Mar-2014 Post-History: 23-Mar-2014, 24-Mar-2014, 25-Mar-2014, 26-Mar-2014 Abstract Most CPython tracker issues are classified as errors in behaviour or proposed enhancements. Most patches to fix behavioural errors are applied to all active maintenance branches. Enhancement patches are restricted to the default branch that becomes the next Python version. This cadence works reasonably well during Python's normal 18-24 month feature release cycle, which is still applicable to the Python 3 series. However, the age of the standard library in Python 2 has now reached a point where it is sufficiently far behind the state of the art in network security protocols for it to be causing real problems in use cases where upgrading to Python 3 in the near term may not be feasible. In recognition of the additional practical considerations that have arisen during the 4+ year maintenance cycle for Python 2.7, this PEP allows Python 2.7 standard library components that have implications for the overall security of the internet to be updated in line with the corresponding Python 3 feature releases. Specifically, the exception allows a critical set of network security related features to be backported from Python 3.4 to the upcoming Python 2.7.7 maintenance release. While this PEP does not make any changes to the core development team's handling of security-fix-only branches that are no longer in active maintenance, it *does* recommend that commercial redistributors providing extended support periods for the Python standard library either backport these features to their supported versions, or else explicitly disclaim support for the use of older versions in roles that involve connecting directly to the public internet. Exemption Policy Under this policy, the following features SHOULD be backported from Python 3.4 to the upcoming Python 2.7.7 maintenance release: * in the ``os`` module: * persistent file descriptor for ``os.urandom()``. * in the ``hmac`` module: * constant time comparison function (``hmac.compare_digest()``). * in the ``hashlib`` module: * password hashing function (``hashlib.pbkdf2_hmac()``). * details of hash algorithm availability (``hashlib.algorithms_guaranteed`` and ``hashlib.algorithms_guaranteed``). * in the ``ssl`` module: * this module is almost entirely synchronised with its Python 3 counterpart, bringing TLSv2, SSLContext manipulation, Server Name Identification, access to platform certificate stores, standard library support for peer hostname validation and more to the Python 2 series. * the only ``ssl`` module features *not* backported under this policy are the ``ssl.RAND_*`` functions that provide access to OpenSSL's random number generation capabilities - use ``os.urandom()`` instead. As part of this policy, permission is also granted to upgrade to newer feature releases of OpenSSL when preparing the binary installers for new maintenance releases of Python 2.7. Backwards Compatibility Considerations == As in the Python 3 series, the backported ``ssl.create_default_context()`` API is granted a backwards compatibility exemption that permits the protocol, options, cipher and other settings of the created SSL context to be made This PEP does *not* grant any exemptions to the usual backwards compatibility policy for maintenance releases. Instead, by explicitly encouraging the use of feature based checks, it is designed to make it easier to write more secure cross-version compatible Python software, while still limiting the risk of breaking currently working software when upgrading to a new Python 2.7 maintenance release. In all cases where this policy allows new features to be backported to the Python 2.7 release series, it is possible to write cross-version compatible code that operates by feature detection (for
Re: [Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
Typo I think: As in the Python 3 series, the backported ssl.create_default_context() API is granted a backwards compatibility exemption that permits the protocol, options, cipher and other settings of the created SSL context to be made made what? On Mar 26, 2014, at 8:00 AM, Nick Coghlan ncogh...@gmail.com wrote: Guido and Antoine persuaded me that selective backports would be a better idea for the network security enhancements than the wholesale module backports previously suggested, while Alex and Donald provided the necessary additional details, so here's a revised version of the PEP. Despite making it more explicit, I deleted more lines than I added, strongly suggesting that switching to selective backports was the right call :) I dealt with the SSL module the way Donald suggested: excluding the RAND_* functions, rather than listing everything else. I also changed the headings to make it clear the listed alternatives were rejected ideas, made the footnotes a bit more readable, and tidied up the wording in a few places. Diff: http://hg.python.org/peps/rev/8527f6e2beb0 Web: http://www.python.org/dev/peps/pep-0466/ == PEP: 466 Title: Network Security Enhancement Exception for Python 2.7 Version: $Revision$ Last-Modified: $Date$ Author: Nick Coghlan ncogh...@gmail.com, Status: Draft Type: Informational Content-Type: text/x-rst Created: 23-Mar-2014 Post-History: 23-Mar-2014, 24-Mar-2014, 25-Mar-2014, 26-Mar-2014 Abstract Most CPython tracker issues are classified as errors in behaviour or proposed enhancements. Most patches to fix behavioural errors are applied to all active maintenance branches. Enhancement patches are restricted to the default branch that becomes the next Python version. This cadence works reasonably well during Python's normal 18-24 month feature release cycle, which is still applicable to the Python 3 series. However, the age of the standard library in Python 2 has now reached a point where it is sufficiently far behind the state of the art in network security protocols for it to be causing real problems in use cases where upgrading to Python 3 in the near term may not be feasible. In recognition of the additional practical considerations that have arisen during the 4+ year maintenance cycle for Python 2.7, this PEP allows Python 2.7 standard library components that have implications for the overall security of the internet to be updated in line with the corresponding Python 3 feature releases. Specifically, the exception allows a critical set of network security related features to be backported from Python 3.4 to the upcoming Python 2.7.7 maintenance release. While this PEP does not make any changes to the core development team's handling of security-fix-only branches that are no longer in active maintenance, it *does* recommend that commercial redistributors providing extended support periods for the Python standard library either backport these features to their supported versions, or else explicitly disclaim support for the use of older versions in roles that involve connecting directly to the public internet. Exemption Policy Under this policy, the following features SHOULD be backported from Python 3.4 to the upcoming Python 2.7.7 maintenance release: * in the ``os`` module: * persistent file descriptor for ``os.urandom()``. * in the ``hmac`` module: * constant time comparison function (``hmac.compare_digest()``). * in the ``hashlib`` module: * password hashing function (``hashlib.pbkdf2_hmac()``). * details of hash algorithm availability (``hashlib.algorithms_guaranteed`` and ``hashlib.algorithms_guaranteed``). * in the ``ssl`` module: * this module is almost entirely synchronised with its Python 3 counterpart, bringing TLSv2, SSLContext manipulation, Server Name Identification, access to platform certificate stores, standard library support for peer hostname validation and more to the Python 2 series. * the only ``ssl`` module features *not* backported under this policy are the ``ssl.RAND_*`` functions that provide access to OpenSSL's random number generation capabilities - use ``os.urandom()`` instead. As part of this policy, permission is also granted to upgrade to newer feature releases of OpenSSL when preparing the binary installers for new maintenance releases of Python 2.7. Backwards Compatibility Considerations == As in the Python 3 series, the backported ``ssl.create_default_context()`` API is granted a backwards compatibility exemption that permits the protocol, options, cipher and other settings of the created SSL context to be made This PEP does *not* grant any exemptions to the usual backwards compatibility policy for maintenance releases. Instead, by explicitly encouraging the use of feature based checks, it is
Re: [Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
On 26 March 2014 22:05, Donald Stufft don...@stufft.io wrote: Typo I think: As in the Python 3 series, the backported ssl.create_default_context() API is granted a backwards compatibility exemption that permits the protocol, options, cipher and other settings of the created SSL context to be made made what? Incomplete edit that I didn't notice until after posting. Fixed in the web version now, along with the copy paste error in the list of hashlib attributes to be backported. The first two backwards compatibility paragraphs: === As in the Python 3 series, the backported ssl.create_default_context() API is granted a backwards compatibility exemption that permits the protocol, options, cipher and other settings of the created SSL context to be updated in maintenance releases to use higher default security settings. This allows them to appropriately balance compatibility and security at the time of the maintenance release, rather than at the time of the original feature release. This PEP does not grant any other exemptions to the usual backwards compatibility policy for maintenance releases. Instead, by explicitly encouraging the use of feature based checks, it is designed to make it easier to write more secure cross-version compatible Python software, while still limiting the risk of breaking currently working software when upgrading to a new Python 2.7 maintenance release. === Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
On Mar 26, 2014, at 8:00 AM, Nick Coghlan ncogh...@gmail.com wrote: Guido and Antoine persuaded me that selective backports would be a better idea for the network security enhancements than the wholesale module backports previously suggested, while Alex and Donald provided the necessary additional details, so here's a revised version of the PEP. Despite making it more explicit, I deleted more lines than I added, strongly suggesting that switching to selective backports was the right call :) I dealt with the SSL module the way Donald suggested: excluding the RAND_* functions, rather than listing everything else. I also changed the headings to make it clear the listed alternatives were rejected ideas, made the footnotes a bit more readable, and tidied up the wording in a few places. Diff: http://hg.python.org/peps/rev/8527f6e2beb0 Web: http://www.python.org/dev/peps/pep-0466/ == PEP: 466 Title: Network Security Enhancement Exception for Python 2.7 Version: $Revision$ Last-Modified: $Date$ Author: Nick Coghlan ncogh...@gmail.com, Status: Draft Type: Informational Content-Type: text/x-rst Created: 23-Mar-2014 Post-History: 23-Mar-2014, 24-Mar-2014, 25-Mar-2014, 26-Mar-2014 snip This looks reasonable to me still and still solves the major problems that trying to securely use the 2.7 series has. +1 From me. - Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA signature.asc Description: Message signed with OpenPGP using GPGMail ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
On 26 Mar 2014 23:12, Cory Benfield c...@lukasa.co.uk wrote: Nick, On 26 March 2014 12:00, Nick Coghlan ncogh...@gmail.com wrote: As one example, the Python 2 ``ssl`` module does not support the Server Name Identification standard. Tiny note: SNI is 'Server Name Indication', not 'Identification'. =) Hah, you know, I've never actually looked that up, because I assumed I knew what it stood for based on context :) Cheers, Nick. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
On Mar 26, 2014, at 10:00 PM, Nick Coghlan wrote: Guido and Antoine persuaded me that selective backports would be a better idea for the network security enhancements than the wholesale module backports previously suggested, while Alex and Donald provided the necessary additional details, so here's a revised version of the PEP. Despite making it more explicit, I deleted more lines than I added, strongly suggesting that switching to selective backports was the right call :) Thanks. I think the narrower scope and details greatly improves this PEP and resolves most of the concerns I had about it. It maintains the backward compatibility pledge but relaxes the new feature backport prohibition where security concerns trump. Cheers, -Barry ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
On Wed Mar 26 2014 at 8:02:08 AM, Nick Coghlan ncogh...@gmail.com wrote: Guido and Antoine persuaded me that selective backports would be a better idea for the network security enhancements than the wholesale module backports previously suggested, while Alex and Donald provided the necessary additional details, so here's a revised version of the PEP. Despite making it more explicit, I deleted more lines than I added, strongly suggesting that switching to selective backports was the right call :) I dealt with the SSL module the way Donald suggested: excluding the RAND_* functions, rather than listing everything else. I also changed the headings to make it clear the listed alternatives were rejected ideas, made the footnotes a bit more readable, and tidied up the wording in a few places. Diff: http://hg.python.org/peps/rev/8527f6e2beb0 Web: http://www.python.org/dev/peps/pep-0466/ == PEP: 466 Title: Network Security Enhancement Exception for Python 2.7 Version: $Revision$ Last-Modified: $Date$ Author: Nick Coghlan ncogh...@gmail.com, Status: Draft Type: Informational Content-Type: text/x-rst Created: 23-Mar-2014 Post-History: 23-Mar-2014, 24-Mar-2014, 25-Mar-2014, 26-Mar-2014 [SNIP] Exemption Policy Under this policy, the following features SHOULD be backported from Python 3.4 to the upcoming Python 2.7.7 maintenance release: * in the ``os`` module: * persistent file descriptor for ``os.urandom()``. * in the ``hmac`` module: * constant time comparison function (``hmac.compare_digest()``). * in the ``hashlib`` module: * password hashing function (``hashlib.pbkdf2_hmac()``). * details of hash algorithm availability (``hashlib.algorithms_ guaranteed`` and ``hashlib.algorithms_guaranteed``). You said algorithms_guaranteed twice. I assume that wasn't for emphasis. =) I'm +1 on this version of the PEP. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
Nick, On 26 March 2014 12:00, Nick Coghlan ncogh...@gmail.com wrote: As one example, the Python 2 ``ssl`` module does not support the Server Name Identification standard. Tiny note: SNI is 'Server Name Indication', not 'Identification'. =) Otherwise, I'm +1 on this as well. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
This mostly looks good to me, however I'm not sure I understand the point of this sentence: Rather, it is intended to send a clear signal to potential corporate contributors that the core development team are willing to accept offers of corporate assistance in putting this policy into effect [...]. It's fairly evident to me that the folks most likely to actually do the work of implementing this are myself and Donald. This PEP really has nothing to do with corporate contribution, so I think this sentence ought to be removed. Alex ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
On 03/26/2014 05:00 AM, Nick Coghlan wrote: The Mac OS X binary installers historically followed the same policy as other POSIX installations and dynamically linked to the Apple provided OpenSSL libraries. However, Apple has now ceased updating these cross-platform libraries, instead requiring that even cross-platform developers adopt Mac OS X specific interfaces to access up to date security infrastructure on their platform. Accordingly, and independently of this PEP, the Mac OS X binary installers were already going to be switched to statically linker newer versions of OpenSSL [4]_ Should be 'link', not 'linker'. Looks good. +1 -- ~Ethan~ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 466 (round 5): selected network security enhancements for Python 2.7
On 27 Mar 2014 01:28, Alex Gaynor alex.gay...@gmail.com wrote: This mostly looks good to me, however I'm not sure I understand the point of this sentence: Rather, it is intended to send a clear signal to potential corporate contributors that the core development team are willing to accept offers of corporate assistance in putting this policy into effect [...]. It's fairly evident to me that the folks most likely to actually do the work of implementing this are myself and Donald. This PEP really has nothing to do with corporate contribution, so I think this sentence ought to be removed. Sure, I can reword that bit. I think I've made my point on that front by now, anyway, so preserving it in the web version isn't really necessary :) Cheers, Nick. Alex ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com