Message 274932 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Jim.Jewett
Recipients	Jim.Jewett, Lukasa, alex, christian.heimes, dstufft, georg.brandl, giampaolo.rodola, hynek, janssen, larry, python-dev, steve.dower
Date	2016-09-08.00:26:10
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<CA+OGgf5_=15oakVVV6qsTBbhhUTe+ECAcJNSGnrV=22XZJ+-PA@mail.gmail.com>
In-reply-to	<1473216953.9.0.268969446533.issue27850@psf.upfronthosting.co.za>

Content
On Sep 6, 2016 10:55 PM, Donald Stufft added the comment: > In the hypothetical case we don't backport ChaCha20 support and 3DES and AES constructs in TLS are no longer secure... what do you do? Do you just plug your fingers in your ears and hope nobody attacks you? That works fine for an awful lot of uses. For the ones where it doesn't work, people can either upgrade to 3.5 or get support from a reseller like red hat or caconical or ActiveState or ... Providing the support for free isn't wrong, but "we don't add new things except to the current release" is a both clear and sensible ... overriding should be rare. Assuming an override should be accepted just because "security" reminds me of the boy who cried wolf. > > Future OpenSSLs don't affect Python 3.4, as Python 3.4 won't be upgraded to them. ... > Well except LibreSSL already supports this just fine, Is switching to a different SSL library without OS vendor support any more reasonable than switching to a newer python without that same support?

On Sep 6, 2016 10:55 PM, Donald Stufft added the comment:

> In the hypothetical case we don't backport ChaCha20 support and 3DES and
AES constructs in TLS are no longer secure... what do you do? Do you just
plug your fingers in your ears and hope nobody attacks you?

That works fine for an awful lot of uses.

For the ones where it doesn't work, people can either upgrade to 3.5 or get
support from a reseller like red hat or caconical or ActiveState or ...

Providing the support for free isn't *wrong*, but "we don't add new things
except to the current release" is a both clear and sensible ... overriding
should be rare.  Assuming an override should be accepted just because
"security" reminds me of the boy who cried wolf.

> > Future OpenSSLs don't affect Python 3.4, as Python 3.4 won't be
upgraded to them.  ...

> Well except LibreSSL already supports this just fine,

Is switching to a different SSL library without OS vendor support any more
reasonable than switching to a newer python without that same support?

History
Date	User	Action	Args
2016-09-08 00:26:12	Jim.Jewett	set	recipients: + Jim.Jewett, georg.brandl, janssen, larry, giampaolo.rodola, christian.heimes, alex, python-dev, hynek, steve.dower, dstufft, Lukasa
2016-09-08 00:26:12	Jim.Jewett	link	issue27850 messages
2016-09-08 00:26:10	Jim.Jewett	create