Message 287650 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ncoghlan
Recipients	Eric Appelt, barry, brett.cannon, doko, eric.snow, ncoghlan, petr.viktorin, serhiy.storchaka
Date	2017-02-12.20:59:46
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1486933186.65.0.278111400132.issue29514@psf.upfronthosting.co.za>
In-reply-to

Content
Thanks Eric! I've left some detailed comments on the PR, with the main one being to include the "expected" table directly in the test case so it doesn't require any changes to importlib itself. For Serhiy - thanks for the explanation of the potential security impact of the original bug, as well as the additional patch that resolves that aspect even for the invalid bytecode. As for as the complexity of the test case itself goes, the main cases we're interested in here are how it fails: - when an RM goes to make a candidate release, they may forget to record the now expected magic number for that release series and get prompted by the failing test case. We'd like them to be able to just copy the magic number from _bootstrap_external.py directly into the table of expected magic numbers - when someone attempts to bump the magic number in a maintenance release, we want the warning that that's a higher impact change than it may first appear (one we know how to deal with now, but still something we'd prefer to avoid if we possibly can) So I think it makes sense to have a relatively verbose test case, even though the core of it is a really simple check of a single value.

Thanks Eric! I've left some detailed comments on the PR, with the main one being to include the "expected" table directly in the test case so it doesn't require any changes to importlib itself.

For Serhiy - thanks for the explanation of the potential security impact of the original bug, as well as the additional patch that resolves that aspect even for the invalid bytecode.

As for as the complexity of the test case itself goes, the main cases we're interested in here are how it fails:

- when an RM goes to make a candidate release, they may forget to record the now expected magic number for that release series and get prompted by the failing test case. We'd like them to be able to just copy the magic number from _bootstrap_external.py directly into the table of expected magic numbers

- when someone attempts to bump the magic number in a maintenance release, we want the warning that that's a higher impact change than it may first appear (one we know how to deal with now, but still something we'd prefer to avoid if we possibly can)

So I think it makes sense to have a relatively verbose test case, even though the core of it is a really simple check of a single value.

History
Date	User	Action	Args
2017-02-12 20:59:46	ncoghlan	set	recipients: + ncoghlan, barry, brett.cannon, doko, petr.viktorin, eric.snow, serhiy.storchaka, Eric Appelt
2017-02-12 20:59:46	ncoghlan	set	messageid: <1486933186.65.0.278111400132.issue29514@psf.upfronthosting.co.za>
2017-02-12 20:59:46	ncoghlan	link	issue29514 messages
2017-02-12 20:59:46	ncoghlan	create