Author dstufft
Recipients Jim.Jewett, Lukasa, alex, christian.heimes, dstufft, georg.brandl, giampaolo.rodola, hynek, janssen, larry, python-dev, steve.dower
Date 2016-09-07.02:55:53
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1473216953.9.0.268969446533.issue27850@psf.upfronthosting.co.za>
In-reply-to
Content
> > The difference between a security feature and a security fix
> > is incredibly hard to differentiate.
>
> I'm not buying this argument.

This touches on it http://web.mit.edu/tabbott/www/papers/hotos.pdf but I'm not sure how you don't see it... In the hypothetical case we don't backport ChaCha20 support and 3DES and AES constructs in TLS are no longer secure... what do you do? Do you just plug your fingers in your ears and hope nobody attacks you? Do you rush to try and patch it at the last minute as a rush job instead of being able to phase it in at a controlled time?

> Future OpenSSLs don't affect Python 3.4, as Python 3.4 won't be upgraded to them.  Anyway we don't ship binary installers for 3.4 anymore.

Well except LibreSSL already supports this just fine, so it doesn't require a new OpenSSL at all and I'm not sure what it means that "Python 3.4 won't be upgraded to them". Python will forcibly mandate that nobody ever links against a newer OpenSSL version?

> Please don't check in support for new cyphers to 3.4.

FWIW the cipher list (at least the restricted ones for ssl.create_default_context()) is explicitly documented as being able to be changed at any time without prior deprecation (and RC4 for instance was dropped in Python 3.4.4).
History
Date User Action Args
2016-09-07 02:55:53dstufftsetrecipients: + dstufft, georg.brandl, janssen, larry, giampaolo.rodola, christian.heimes, alex, python-dev, hynek, Jim.Jewett, steve.dower, Lukasa
2016-09-07 02:55:53dstufftsetmessageid: <1473216953.9.0.268969446533.issue27850@psf.upfronthosting.co.za>
2016-09-07 02:55:53dstufftlinkissue27850 messages
2016-09-07 02:55:53dstufftcreate