Message 117636 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pitrou
Recipients	Ryan.Tucker, ahasenack, asdfasdfasdfasdfasdfasdfasdf, debatem1, devin, giampaolo.rodola, heikki, janssen, jsamuel, orsenthil, pitrou, vila, zooko
Date	2010-09-29.18:34:25
SpamBayes Score	1.587815e-09
Marked as misclassified	No
Message-id	<1285785261.3194.12.camel@localhost.localdomain>
In-reply-to	<1285783431.14.0.180526346114.issue1589@psf.upfronthosting.co.za>

Content
> Here is a letter that I just received, in my role as a developer of > Tahoe-LAFS, from a concerned coder who doesn't know much about Python: > > > An FYI on Python. > > > > I'm not sure how businesses handle this (I've always worked in > Windows > > shops), but I imagine some might consider pulling Python until it is > > properly secured. Pulling Python might affect Tahoe, which I would > > like to see do well. That sounds like an inventively outrageous kind of FUD. It's the first time I hear of someone writing to third-party library authors in order to pressure them to pressure the maintainers of a programming language implementation to make some "decisions". By the way, if "businesses" are really concerned about the security problems induced by this issue, they can sponsor the effort to get the bug fixed. It shouldn't be a lot of work. > This appears to be a concern for some people. Maybe the builtin ssl > module should be deprecated if there isn't a lot of manpower to > maintain it and instead the well-maintained pyOpenSSL package should > become the recommended tool? Correct me if I'm wrong, but the "well-maintained pyOpenSSL package" doesn't have the missing functionality (hostname checking in server certificates), either. M2Crypto has it, though.

> Here is a letter that I just received, in my role as a developer of
> Tahoe-LAFS, from a concerned coder who doesn't know much about Python:
> 
> > An FYI on Python.
> > 
> > I'm not sure how businesses handle this (I've always worked in
> Windows
> > shops), but I imagine some might consider pulling Python until it is
> > properly secured. Pulling Python might affect Tahoe, which I would
> > like to see do well.

That sounds like an inventively outrageous kind of FUD. It's the first
time I hear of someone writing to third-party library authors in order
to pressure them to pressure the maintainers of a programming language
implementation to make some "decisions".

By the way, if "businesses" are really concerned about the security
problems induced by this issue, they can sponsor the effort to get the
bug fixed. It shouldn't be a lot of work.

> This appears to be a concern for some people. Maybe the builtin ssl
> module should be deprecated if there isn't a lot of manpower to
> maintain it and instead the well-maintained pyOpenSSL package should
> become the recommended tool?

Correct me if I'm wrong, but the "well-maintained pyOpenSSL package"
doesn't have the missing functionality (hostname checking in server
certificates), either. M2Crypto has it, though.

History
Date	User	Action	Args
2010-09-29 18:34:28	pitrou	set	recipients: + pitrou, zooko, janssen, orsenthil, giampaolo.rodola, vila, heikki, ahasenack, debatem1, jsamuel, devin, asdfasdfasdfasdfasdfasdfasdf, Ryan.Tucker
2010-09-29 18:34:25	pitrou	link	issue1589 messages
2010-09-29 18:34:25	pitrou	create