iSharkFly-Open
/
python-peps
mirror of https://github.com/python/peps.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
python-peps/pep-0546.txt

142 lines
4.8 KiB
Plaintext
Raw Normal View History

New PEP 546: Backport MemoryBIO to Python 2.7 (#272) * New PEP 546: Backport MemoryBIO to Python 2.7 * PEP 546: Alex Gaynor's review * PEP 546: Nick Coghlan's review: ensurepip * PEP 546: new Nick Coghlan's review
2017-05-30 08:58:20 -04:00
PEP: 546
Title: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7
Version: $Revision$
Last-Modified: $Date$
Author: Victor Stinner <victor.stinner@gmail.com>,
Status: Draft
Type: Standards Track
Content-Type: text/x-rst
Created: 30-May-2017
Abstract
========
Backport ssl.MemoryBIO and ssl.SSLObject classes from Python 3 to Python
2.7 to enhance the overall security of Python 2.7.
Rationale
=========
While Python 2.7 is getting closer to its end-of-line (scheduled for
2020), it is still used on production and the Python community is still
responsible for its security. And to facilitate the future adoption of
:pep:`543`, which will improve security for Python3 users.
This PEP does NOT propose a general exception for backporting new
features to Python 2.7 - every new feature proposed for backporting will
still need to be justified independently. In particular, it will need to
be explained why relying on an independently updated backport on the
Python Package Index instead is not an acceptable solution.
PEP 543
-------
The :pep:`543` defines a new TLS API for Python which would enhance the
Python security: give access to the root certificate authorities on
Windows and macOS by using native APIs, instead of OpenSSL. A side effect
is that it gives access to certificates installed locally by system
administrators, allowing to use "company certificates" without having to
modify each Python application and so validate correctly TLS
certificates (instead of having to ignore or bypass the TLS certificate
validation).
For practical reasons, Cory Benfield would like to first implement an
I/O-less class similar to ssl.MemoryBIO and ssl.SSLObject for the
:pep:`543`, and provide a second class based on the first one to use
sockets or file descriptors. This design would help to structure the code
to support more backends and simplify testing and auditing. Later,
optimized classes using directly sockets or file descriptors may be
added for performance.
While the :pep:`543` defines an API, the PEP would only make sense if it
comes with at least one complete and good implementation. The first
implementation will be based on the ``ssl`` module of the Python
standard library.
In a perfect world, all applications would already run on Python 3 since
Python 3.0 was released. In practice, many applications still run on
production on top of Python 2.7. To make the new TLS API more widely
used, it should be usable on all Python versions currently supported:
Python 2.7, 3.5, 3.6. Otherwise, some applications would have to wait
until they drop Python 2 support to be able to use the new TLS API.
Delaying adoption of the PEP 543 API means delaying the adoption for
security improvements for Python 3 users as well.
requests, pip and ensurepip
---------------------------
There are plans afoot to look at moving Requests to a more event-loop-y
model, and doing so basically mandates a MemoryBIO. In the absence of a
Python 2.7 backport, Requests is required to basically use the same
solution that Twisted currently does: namely, a mandatory dependency on
`pyOpenSSL <https://pypi.python.org/pypi/pyOpenSSL>`_.
The `pip <https://pip.pypa.io/>`_ program has to embed all its
dependencies for pratical reason. Since pip depends on requests, it means
that it would have to embed a copy of pyOpenSSL. That would imply
usability pain to install pip. Currently, pip doesn't support embedding
C extensions which must be compiled on each platform and so require a C
compiler.
Since Python 2.7.9, Python embeds a copy of pip both for default
installation and for use in virtual environments: the new ``ensurepip``
module. If pip ends up bundling PyOpenSSL, then Python will end up
bundling PyOpenSSL. Only backporting ``ssl.MemoryBIO`` and
``ssl.SSLObject`` would avoid to have to embed pyOpenSSL to only include
the strict minimum features required by requests and fix the bootstrap
issue (python -> ensurepip -> pip -> requests -> MemoryBIO).
Changes
=======
Add ``MemoryBIO`` and ``SSLObject`` classes to the ``ssl`` module of
Python 2.7.
The code will be backported and adapted from the master branch
(Python 3).
The backport also significantly reduced the size of the Python 2/Python
3 difference of the ``_ssl`` module, which make maintenance easier.
Links
=====
* :pep:`543`
* `[backport] ssl.MemoryBIO
<https://bugs.python.org/issue22559>`_: Implementation of this PEP
written by Alex Gaynor (first version written at October 2014)
* :pep:`466`
Discussions
===========
* `[Python-Dev] Backport ssl.MemoryBIO on Python 2.7?
<https://mail.python.org/pipermail/python-dev/2017-May/147981.html>`_
(May 2017)
Copyright
=========
This document has been placed in the public domain.
..
Local Variables:
mode: indented-text
indent-tabs-mode: nil
sentence-end-double-space: t
fill-column: 70
coding: utf-8
End: