On Jun 24, 2016, at 12:11 AM, Victor Stinner wrote: >Once we modified Python 3.6 to handle correctly "the bug" and we >consider that the implementation is tested enough, I suggest to >backport it to Python 2.7 as well. Moreover, I would also suggest to >backport the change to Python 3.5, I would be sad if Python 2 is more >secure than the latest Python 3 release :-)
This is the fundamental point of disagreement, and I think it points again to a deficiency in our process. Regardless of outcome of this specific case, I think we should try to tighten up our definitions and codify our policy in an informational PEP. What criteria do we use to classify an issue as a security bug requiring a fix, with backports, overriding any backward compatibility breaks? I think we've been largely ad-hoc about this question. One thing I think such an informational PEP must require is a rationale as to why the issue is being classified as a security bug, a backporting rationale and plan, and a "Backwards Compatibility Impact Assessment", which I'm very glad to see in PEP 522. Cheers, -Barry
pgpqPob6M_U5Q.pgp
Description: OpenPGP digital signature
_______________________________________________ Security-SIG mailing list [email protected] https://mail.python.org/mailman/listinfo/security-sig
