Author Jim.Jewett
Recipients Jim.Jewett, Lukasa, alex, christian.heimes, dstufft, georg.brandl, giampaolo.rodola, hynek, janssen, larry, python-dev, steve.dower
Date 2016-09-08.00:26:10
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <CA+OGgf5_=15oakVVV6qsTBbhhUTe+ECAcJNSGnrV=22XZJ+-PA@mail.gmail.com>
In-reply-to <1473216953.9.0.268969446533.issue27850@psf.upfronthosting.co.za>
Content
On Sep 6, 2016 10:55 PM, Donald Stufft added the comment:

> In the hypothetical case we don't backport ChaCha20 support and 3DES and
AES constructs in TLS are no longer secure... what do you do? Do you just
plug your fingers in your ears and hope nobody attacks you?

That works fine for an awful lot of uses.

For the ones where it doesn't work, people can either upgrade to 3.5 or get
support from a reseller like red hat or caconical or ActiveState or ...

Providing the support for free isn't *wrong*, but "we don't add new things
except to the current release" is a both clear and sensible ... overriding
should be rare.  Assuming an override should be accepted just because
"security" reminds me of the boy who cried wolf.

> > Future OpenSSLs don't affect Python 3.4, as Python 3.4 won't be
upgraded to them.  ...

> Well except LibreSSL already supports this just fine,

Is switching to a different SSL library without OS vendor support any more
reasonable than switching to a newer python without that same support?
History
Date User Action Args
2016-09-08 00:26:12Jim.Jewettsetrecipients: + Jim.Jewett, georg.brandl, janssen, larry, giampaolo.rodola, christian.heimes, alex, python-dev, hynek, steve.dower, dstufft, Lukasa
2016-09-08 00:26:12Jim.Jewettlinkissue27850 messages
2016-09-08 00:26:10Jim.Jewettcreate