Message 274988 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	Jim.Jewett, Lukasa, alex, christian.heimes, dstufft, georg.brandl, giampaolo.rodola, hynek, janssen, larry, python-dev, steve.dower
Date	2016-09-08.09:16:47
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<cde5566f-1e0c-a16d-2fa3-bcd164738f3f@cheimes.de>
In-reply-to	<1473319738.65.0.631343887441.issue27850@psf.upfronthosting.co.za>

Content
On 2016-09-08 09:28, Cory Benfield wrote: > > Cory Benfield added the comment: > > Thanks for your response Larry. I think it cleared up my understanding a bit, and I'm (extremely!) sympathetic to your desire to not get any closer to this problem than you have to. > > I think it may be worth, in future, defining what effort will be made to achieve compatibility with libraries that Python relies on. I can see several questions here that, AFAIK, have no concrete answer: > > - Can a Python minor version increase (e.g. 3.6 -> 3.7) add support for a new ABI in a library dependency? (This one has an answer, which is certainly yes, but we could still stand to write it down because you'd be amazed how often it helps to write down the basic starting point of the argument.) > - Can a Python patch version increase before security release mode (e.g. 3.6.1 -> 3.6.2) add support for a new ABI in a library dependency? > - What about a new API that maintains ABI compatibility? > - Can a Python security version increase (e.g. 3.4.5 -> 3.4.6) add support for a new ABI in a library dependency? > - What about a new API that maintains ABI compatibility? > - How do the answers to the above questions vary if the change is security-focused (e.g. AES is broken tomorrow so ChaCha20 is the only safe cipher left in OpenSSL)? > > I'm not qualified or authoritative enough to answer those questions, but having an answer to them would help modulate expectations from people like myself. I'm going to discuss these points in my OpenSSL PEP. Thanks for the summary :)

On 2016-09-08 09:28, Cory Benfield wrote:
> 
> Cory Benfield added the comment:
> 
> Thanks for your response Larry. I think it cleared up my understanding a bit, and I'm (extremely!) sympathetic to your desire to not get any closer to this problem than you have to.
> 
> I think it may be worth, in future, defining what effort will be made to achieve compatibility with libraries that Python relies on. I can see several questions here that, AFAIK, have no concrete answer:
> 
> - Can a Python minor version increase (e.g. 3.6 -> 3.7) add support for a new ABI in a library dependency? (This one has an answer, which is certainly yes, but we could still stand to write it down because you'd be amazed how often it helps to write down the basic starting point of the argument.)
> - Can a Python patch version increase *before* security release mode (e.g. 3.6.1 -> 3.6.2) add support for a new ABI in a library dependency?
>     - What about a new API that maintains ABI compatibility?
> - Can a Python security version increase (e.g. 3.4.5 -> 3.4.6) add support for a new ABI in a library dependency?
>     - What about a new API that maintains ABI compatibility?
> - How do the answers to the above questions vary if the change is security-focused (e.g. AES is broken tomorrow so ChaCha20 is the only safe cipher left in OpenSSL)?
> 
> I'm not qualified or authoritative enough to answer those questions, but having an answer to them would help modulate expectations from people like myself.

I'm going to discuss these points in my OpenSSL PEP. Thanks for the
summary :)

History
Date	User	Action	Args
2016-09-08 09:16:47	christian.heimes	set	recipients: + christian.heimes, georg.brandl, janssen, larry, giampaolo.rodola, alex, python-dev, hynek, Jim.Jewett, steve.dower, dstufft, Lukasa
2016-09-08 09:16:47	christian.heimes	link	issue27850 messages
2016-09-08 09:16:47	christian.heimes	create