On Thu, Nov 16, 2017 at 08:14:39PM +0000, Lee Jones wrote: > We want to avoid installing Python from source if possible - we run a > mission critical system in production and need to ensure that we use > the version of Python provided with Ubuntu; our view is that this > version is stable and installing a version from source could lead to > compatibility issues. > > We appreciate that Stable Release Updates policy, however we were > wondering if SNI could be considered for backporting based on a > security concern? Over the past twelve months SNI has grown in > popularity and many web hosting companies have now adopted it. Without > supporting SNI, it is not possible to verify the common name in the > website SSL certificate with the website domain.
One thing I'd say is that this does carry a somewhat higher risk of regressions for users of the package than usual. When we upgraded launchpad.net from Ubuntu 12.04 to 16.04 earlier this year, we of course ended up with the SNI changes as a result, but because it was part of a scheduled upgrade we were able to make most of the code changes that we had to make to cope with this in advance. (For example, we now have to tell python-openid about the certificate of our test OpenID provider in our test suite, which we couldn't do before because urllib2.urlopen didn't take a "cafile" argument in earlier versions of Python.) Even with that preparation, we missed a bit and suffered a regression in production related to commercial subscriptions (https://bugs.launchpad.net/launchpad/+bug/1688361). As a scheduled upgrade, though, this was something we could deal with and gain most of the assurance we needed in advance by running our test suite on 16.04; it would have been much more problematic if it had suddenly appeared as part of routine stable upgrades. The SNI changes to Python are pretty extensive and touch quite a few modules. If I were in your position, I would instead be organising a scheduled upgrade to 16.04. (Indeed, I pretty much was in your position earlier this year - Launchpad is a mission-critical production site - and this is exactly what we did.) This would bring in the SNI changes as well as many other improvements; you're going to have to do it anyway eventually; and it wouldn't carry the same risk of regressions for other users. I'm not in a position to answer for Ubuntu's Python maintenance; this is just some perspective as a user. -- Colin Watson [[email protected]] -- ubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
