Author pitrou
Recipients Ryan.Tucker, ahasenack, asdfasdfasdfasdfasdfasdfasdf, debatem1, devin, giampaolo.rodola, heikki, janssen, jsamuel, orsenthil, pitrou, vila, zooko
Date 2010-09-29.18:34:25
SpamBayes Score 1.58781e-09
Marked as misclassified No
Message-id <1285785261.3194.12.camel@localhost.localdomain>
In-reply-to <1285783431.14.0.180526346114.issue1589@psf.upfronthosting.co.za>
Content
> Here is a letter that I just received, in my role as a developer of
> Tahoe-LAFS, from a concerned coder who doesn't know much about Python:
> 
> > An FYI on Python.
> > 
> > I'm not sure how businesses handle this (I've always worked in
> Windows
> > shops), but I imagine some might consider pulling Python until it is
> > properly secured. Pulling Python might affect Tahoe, which I would
> > like to see do well.

That sounds like an inventively outrageous kind of FUD. It's the first
time I hear of someone writing to third-party library authors in order
to pressure them to pressure the maintainers of a programming language
implementation to make some "decisions".

By the way, if "businesses" are really concerned about the security
problems induced by this issue, they can sponsor the effort to get the
bug fixed. It shouldn't be a lot of work.

> This appears to be a concern for some people. Maybe the builtin ssl
> module should be deprecated if there isn't a lot of manpower to
> maintain it and instead the well-maintained pyOpenSSL package should
> become the recommended tool?

Correct me if I'm wrong, but the "well-maintained pyOpenSSL package"
doesn't have the missing functionality (hostname checking in server
certificates), either. M2Crypto has it, though.
History
Date User Action Args
2010-09-29 18:34:28pitrousetrecipients: + pitrou, zooko, janssen, orsenthil, giampaolo.rodola, vila, heikki, ahasenack, debatem1, jsamuel, devin, asdfasdfasdfasdfasdfasdfasdf, Ryan.Tucker
2010-09-29 18:34:25pitroulinkissue1589 messages
2010-09-29 18:34:25pitroucreate