PEP 466: switch to more selective backports
This commit is contained in:
parent
68ce00d52e
commit
9ea9830f61
268
pep-0466.txt
268
pep-0466.txt
|
@ -7,7 +7,7 @@ Status: Draft
|
|||
Type: Informational
|
||||
Content-Type: text/x-rst
|
||||
Created: 23-Mar-2014
|
||||
Post-History: 23-Mar-2014
|
||||
Post-History: 23-Mar-2014, 24-Mar-2014, 25-Mar-2014, 26-Mar-2014
|
||||
|
||||
|
||||
Abstract
|
||||
|
@ -22,8 +22,8 @@ This cadence works reasonably well during Python's normal 18-24 month
|
|||
feature release cycle, which is still applicable to the Python 3 series.
|
||||
However, the age of the standard library in Python 2 has now reached a point
|
||||
where it is sufficiently far behind the state of the art in network security
|
||||
protocols for it to be causing real problems in commercial use cases
|
||||
where upgrading to Python 3 in the near term may not be practical.
|
||||
protocols for it to be causing real problems in use cases where upgrading to
|
||||
Python 3 in the near term may not be feasible.
|
||||
|
||||
In recognition of the additional practical considerations that have arisen
|
||||
during the 4+ year maintenance cycle for Python 2.7, this PEP allows
|
||||
|
@ -31,91 +31,74 @@ Python 2.7 standard library components that have implications for the
|
|||
overall security of the internet to be updated in line with the
|
||||
corresponding Python 3 feature releases.
|
||||
|
||||
Specifically, the exception will apply to:
|
||||
|
||||
* the ``ssl`` module
|
||||
* the ``hashlib`` module
|
||||
* the ``hmac`` module
|
||||
* the components of the ``random`` and ``os`` modules that the above
|
||||
modules rely on for cryptographic randomness
|
||||
* the version of OpenSSL bundled with the binary installers for Windows
|
||||
and Mac OS X
|
||||
|
||||
Changes to these modules will still need to undergo normal backwards
|
||||
compatibility assessments to ensure their default behaviour remains
|
||||
consistent with earlier Python 2.7 releases, but otherwise they will be
|
||||
kept entirely aligned with the latest feature release of their Python 3
|
||||
counterparts. This is designed to make it easier to implement secure
|
||||
networked software in Python, even for software that currently needs to
|
||||
remain compatible with the Python 2 series (which includes a lot of
|
||||
network infrastructure software).
|
||||
Specifically, the exception allows a critical set of network security
|
||||
related features to be backported from Python 3.4 to the upcoming Python
|
||||
2.7.7 maintenance release.
|
||||
|
||||
While this PEP does not make any changes to the core development team's
|
||||
handling of security-fix-only branches that are no longer in active
|
||||
maintenance, it *does* recommend that commercial redistributors providing
|
||||
extended support periods for the Python standard library either adopt a
|
||||
similar approach to ensuring that the secure networking infrastructure
|
||||
keeps pace with the evolution of the internet, or else explicitly
|
||||
disclaim support for the use of older versions in roles that involve
|
||||
connecting directly to the public internet.
|
||||
extended support periods for the Python standard library either backport
|
||||
these features to their supported versions, or else explicitly disclaim
|
||||
support for the use of older versions in roles that involve connecting
|
||||
directly to the public internet.
|
||||
|
||||
|
||||
Exemption Policy
|
||||
================
|
||||
|
||||
Under this policy, the following network security related modules are
|
||||
granted a blanket exemption to the normal restriction against adding new
|
||||
features in Python 2.7 maintenance releases, for the purpose of keeping
|
||||
their APIs aligned with their counterparts in the latest feature release
|
||||
of Python 3:
|
||||
Under this policy, the following features SHOULD be backported from Python
|
||||
3.4 to the upcoming Python 2.7.7 maintenance release:
|
||||
|
||||
* the ``ssl`` module
|
||||
* the ``hashlib`` module
|
||||
* the ``hmac`` module
|
||||
* in the ``os`` module:
|
||||
|
||||
Under this exemption, these modules are updated to provide identical
|
||||
functionality to their Python 3 counterparts after every new Python 3
|
||||
feature release. The default behaviour of the backported modules will be
|
||||
adjusted as appropriate to meet the backwards compatibility requirements
|
||||
of a Python 2.7 maintenance release.
|
||||
* persistent file descriptor for ``os.urandom()``.
|
||||
|
||||
* in the ``hmac`` module:
|
||||
|
||||
* constant time comparison function (``hmac.compare_digest()``).
|
||||
|
||||
* in the ``hashlib`` module:
|
||||
|
||||
* password hashing function (``hashlib.pbkdf2_hmac()``).
|
||||
* details of hash algorithm availability (``hashlib.algorithms_guaranteed``
|
||||
and ``hashlib.algorithms_guaranteed``).
|
||||
|
||||
* in the ``ssl`` module:
|
||||
|
||||
* this module is almost entirely synchronised with its Python 3
|
||||
counterpart, bringing TLSv2, SSLContext manipulation, Server Name
|
||||
Identification, access to platform certificate stores, standard
|
||||
library support for peer hostname validation and more to the Python 2
|
||||
series.
|
||||
* the only ``ssl`` module features *not* backported under this policy are
|
||||
the ``ssl.RAND_*`` functions that provide access to OpenSSL's random
|
||||
number generation capabilities - use ``os.urandom()`` instead.
|
||||
|
||||
As part of this policy, permission is also granted to upgrade to newer
|
||||
feature releases of OpenSSL when preparing the binary installers
|
||||
for new maintenance releases of Python 2.7.
|
||||
|
||||
Note that the ``sha`` and ``md5`` modules are not covered by this policy,
|
||||
but have been deprecated in favour of ``hashlib`` since Python 2.5 and have
|
||||
been removed entirely in the Python 3 series.
|
||||
|
||||
In addition to the above blanket exemption, a conditional exemption is
|
||||
granted for these modules that may include some network security related
|
||||
features:
|
||||
|
||||
* the ``os`` module (specifically ``os.urandom``)
|
||||
* the ``random`` module
|
||||
|
||||
This more limited exemption for these modules requires that the *specific*
|
||||
enhancement being proposed for backporting needs to be justified as being
|
||||
network security related. This is generally restricted to cases where the
|
||||
feature in question is needed by an update to one of the modules covered
|
||||
by the blanket exemption.
|
||||
|
||||
|
||||
Backwards Compatibility Considerations
|
||||
======================================
|
||||
|
||||
This PEP does *not* grant Python 2.7 any general exemptions to the usual
|
||||
backwards compatibility policy for maintenance releases. Instead, by
|
||||
explicitly encouraging the use of feature based checks and explicitly
|
||||
opting in to less secure configurations, it is designed to make it easier
|
||||
As in the Python 3 series, the backported ``ssl.create_default_context()``
|
||||
API is granted a backwards compatibility exemption that permits the
|
||||
protocol, options, cipher and other settings of the created SSL context to
|
||||
be made
|
||||
|
||||
This PEP does *not* grant any exemptions to the usual backwards
|
||||
compatibility policy for maintenance releases. Instead, by explicitly
|
||||
encouraging the use of feature based checks, it is designed to make it easier
|
||||
to write more secure cross-version compatible Python software, while still
|
||||
limiting the risk of breaking currently working software when upgrading to
|
||||
a new Python 2.7 maintenance release.
|
||||
|
||||
In *all* cases where this policy is applied to backport enhancements to
|
||||
Python 2.7 maintenance releases, it MUST be possible to write cross-version
|
||||
In all cases where this policy allows new features to be backported to
|
||||
the Python 2.7 release series, it is possible to write cross-version
|
||||
compatible code that operates by "feature detection" (for example, checking
|
||||
for particular attributes in the module), without needing to explicitly check
|
||||
for particular attributes in a module), without needing to explicitly check
|
||||
the Python version.
|
||||
|
||||
It is then up to library and framework code to provide an appropriate warning
|
||||
|
@ -124,16 +107,17 @@ some especially security sensitive software MAY fail outright if a desired
|
|||
security feature is unavailable, most software SHOULD instead emit a warning
|
||||
and continue operating using a slightly degraded security configuration.
|
||||
|
||||
Affected APIs SHOULD be designed to allow library and application code to
|
||||
perform the following actions after detecting the presence of a relevant
|
||||
The backported APIs allow library and application code to perform the
|
||||
following actions after detecting the presence of a relevant
|
||||
network security related feature:
|
||||
|
||||
* explicitly opt in to more secure settings (to allow the use of enhanced
|
||||
security features in older maintenance releases of Python)
|
||||
security features in older maintenance releases of Python with less
|
||||
secure default behaviour)
|
||||
* explicitly opt in to less secure settings (to allow the use of newer Python
|
||||
feature releases in lower security environments)
|
||||
* determine the default setting for the feature (this MAY require explicit
|
||||
Python version checks to determine the Python feature release, but MUST
|
||||
Python version checks to determine the Python feature release, but DOES
|
||||
NOT require checking for a specific maintenance release)
|
||||
|
||||
Security related changes to other modules (such as higher level networking
|
||||
|
@ -187,12 +171,12 @@ load.
|
|||
|
||||
Backporting security related fixes and enhancements to earlier versions is
|
||||
a common service for commercial redistributors to offer to their customers.
|
||||
This policy represents an explicit invitation to contribute some of those
|
||||
changes back to the upstream Python community in cases where they are likely
|
||||
to have a broad impact that helps improve the security of the internet as a
|
||||
whole, with the assurance that the existing core development team not only
|
||||
won't object to such contributions, but will actively encourage their
|
||||
incorporation into the next Python 2.7 maintenance release.
|
||||
This policy represents an explicit invitation to implement those changes
|
||||
in the core development tree in cases where they are likely to have a broad
|
||||
impact that helps improve the security of the internet as a whole, with the
|
||||
assurance that the existing core development team not only won't object to
|
||||
such contributions, but will actively encourage their incorporation into
|
||||
the next Python 2.7 maintenance release.
|
||||
|
||||
|
||||
Documentation
|
||||
|
@ -201,7 +185,7 @@ Documentation
|
|||
All modules covered by this policy MUST include a "Security Considerations"
|
||||
section in their documentation in order to take advantage of this policy.
|
||||
|
||||
In addition to any other module specific contents, this section MUST
|
||||
In addition to any other module specific contents, this section SHOULD
|
||||
enumerate key security enhancements and fixes (with CVE identifiers where
|
||||
applicable), along with the feature and maintenance releases that first
|
||||
included them.
|
||||
|
@ -232,8 +216,8 @@ to test against specific Python 2.7 maintenance releases, to ensure that
|
|||
libraries, frameworks and applications can still test their handling of the
|
||||
legacy security infrastructure correctly (either failing or degrading
|
||||
gracefully, depending on the security sensitivity of the software), even
|
||||
after the latest Python 2.7 maintenance release has been synchronised with
|
||||
a new Python 3 feature release for the modules covered by this policy.
|
||||
after the features covered in this policy have been backported to the
|
||||
Python 2.7 series.
|
||||
|
||||
|
||||
Handling lower security environments with low risk tolerance
|
||||
|
@ -258,16 +242,16 @@ scenario.
|
|||
Evolution of this Policy
|
||||
========================
|
||||
|
||||
The key requirement for a module to be considered for inclusion in this
|
||||
policy (whether under a blanket or conditional exemption) is that it must
|
||||
have security implications *beyond* the specific application that is written
|
||||
in Python and the system that application is running on. Thus the focus on
|
||||
network security protocols and related cryptographic infrastructure - Python
|
||||
is a popular choice for the development of web services and clients, and
|
||||
thus the capabilities of widely used Python versions have implications for
|
||||
the security design of other services that may themselves be using newer
|
||||
versions of Python or other development languages, but need to interoperate
|
||||
with clients or servers written using older versions of Python.
|
||||
The key requirement for a feature to be considered for inclusion in this
|
||||
policy is that it must have security implications *beyond* the specific
|
||||
application that is written in Python and the system that application is
|
||||
running on. Thus the focus on network security protocols, password storage
|
||||
and related cryptographic infrastructure - Python is a popular choice for
|
||||
the development of web services and clients, and thus the capabilities of
|
||||
widely used Python versions have implications for the security design of
|
||||
other services that may themselves be using newer versions of Python or
|
||||
other development languages, but need to interoperate with clients or
|
||||
servers written using older versions of Python.
|
||||
|
||||
The intent behind this requirement is to minimise any impact that the
|
||||
introduction of this policy may have on the stability and compatibility of
|
||||
|
@ -280,15 +264,6 @@ same release series.
|
|||
Motivation and Rationale
|
||||
========================
|
||||
|
||||
This PEP can be seen as a more targeted version of the "faster standard
|
||||
library release cycle" proposals discussed in PEP 407 and PEP 413,
|
||||
focusing specifically on those areas which have implications beyond the
|
||||
Python community.
|
||||
|
||||
|
||||
Background
|
||||
----------
|
||||
|
||||
The creation of this PEP was prompted primarily by the aging SSL support in
|
||||
the Python 2 series. As of March 2014, the Python 2.7 SSL module is
|
||||
approaching four years of age, and the SSL support in the still popular
|
||||
|
@ -315,8 +290,8 @@ currently limited to OpenSSL maintenance releases for the version initially
|
|||
shipped with the corresponding Python feature release.
|
||||
|
||||
With increased popularity comes increased responsibility, and this policy
|
||||
aims to acknowledge the fact that Python's popularity and adoption has now
|
||||
reached a level where some of our design and policy decisions have
|
||||
aims to acknowledge the fact that Python's popularity and adoption is at a
|
||||
sufficiently high level that some of our design and policy decisions have
|
||||
significant implications beyond the Python development community.
|
||||
|
||||
As one example, the Python 2 ``ssl`` module does not support the Server
|
||||
|
@ -371,11 +346,10 @@ itself that receives 10 years worth of support, but the overall RHEL 6
|
|||
*series*. The individual RHEL 6.x point releases within the series then
|
||||
receive a wide variety of new features, including security enhancements,
|
||||
all while meeting strict backwards compatibility guarantees for existing
|
||||
software. Subscribers *are* able to continue using a given point release
|
||||
after the next point release has become available, but a corresponding
|
||||
add-on subscription for `Extended Update Support
|
||||
<https://access.redhat.com/site/support/policy/updates/errata/#Extended_Update_Support>`__
|
||||
is needed to cover the additional backporting work involved.
|
||||
software. The policy described in this PEP brings our approach to long term
|
||||
maintenance more into line with this precedent - we retain our strict
|
||||
backwards compatibility requirements, but slightly relax the restrictions
|
||||
against adding new features.
|
||||
|
||||
To date, downstream redistributors have respected our upstream policy of
|
||||
"no new features in Python maintenance releases". This PEP explicitly
|
||||
|
@ -385,8 +359,8 @@ designed such that it at least has some chance of being applied to Red Hat
|
|||
Enterprise Linux and its downstream derivatives.
|
||||
|
||||
|
||||
Alternative: advise developers of networked software to migrate to Python 3
|
||||
---------------------------------------------------------------------------
|
||||
Rejected alternative: just advise developers to migrate to Python 3
|
||||
-------------------------------------------------------------------
|
||||
|
||||
This alternative represents the status quo. Unfortunately, it has proven
|
||||
to be unworkable in practice, as the backwards compatibility implications
|
||||
|
@ -428,7 +402,7 @@ that runs in the integrated system Python by necessity.
|
|||
The OpenStack migration to Python 3 is also still in its infancy, and even
|
||||
though that's a project with an extensive and relatively robust automated
|
||||
test suite, it's still large enough that it is going to take quite some time
|
||||
to migrate.
|
||||
to migrate fully to a Python 2/3 compatible code base.
|
||||
|
||||
And that's just three of the highest profile open source projects that
|
||||
make heavy use of Python. Given the likely existence of large amounts of
|
||||
|
@ -455,8 +429,8 @@ The problem is real, so *something* needs to change, and this PEP describes
|
|||
my preferred approach to addressing the situation.
|
||||
|
||||
|
||||
Alternative: create and release Python 2.8
|
||||
------------------------------------------
|
||||
Rejected alternative: create and release Python 2.8
|
||||
---------------------------------------------------
|
||||
|
||||
With sufficient corporate support, it likely *would* be possible to create
|
||||
and release Python 2.8 (it's highly unlikely such a project would garner
|
||||
|
@ -485,8 +459,8 @@ of a Python 2.8 being of any use to me in even attempting to get it
|
|||
addressed.
|
||||
|
||||
|
||||
Alternative: distribute the security enhancements via PyPI
|
||||
----------------------------------------------------------
|
||||
Rejected alternative: distribute the security enhancements via PyPI
|
||||
-------------------------------------------------------------------
|
||||
|
||||
While this initially appears to be an attractive and easier to manage
|
||||
approach, it actually suffers from several significant problems.
|
||||
|
@ -537,8 +511,8 @@ security enhancements by deliberately downgrading the provided network
|
|||
security infrastructure, which most of them are unlikely to do.
|
||||
|
||||
|
||||
Alternative: provide a "legacy SSL infrastructure" branch
|
||||
---------------------------------------------------------
|
||||
Rejected variant: provide a "legacy SSL infrastructure" branch
|
||||
--------------------------------------------------------------
|
||||
|
||||
Earlier versions of this PEP included the concept of a ``2.7-legacy-ssl``
|
||||
branch that preserved the exact feature set of the Python 2.7.6 network
|
||||
|
@ -559,28 +533,14 @@ infrastructure updated to match Python 3.4, it would also be appropriate to
|
|||
refer to Python 2.7.6 and earlier releases as "Python 2.7 with Legacy SSL".
|
||||
|
||||
|
||||
Alternative: selectively backport particular APIs
|
||||
-------------------------------------------------
|
||||
Rejected variant: synchronise particular modules entirely with Python 3
|
||||
-----------------------------------------------------------------------
|
||||
|
||||
An instinctively minimalist reaction to this proposal is to only backport
|
||||
particular APIs in the affected modules that are judged to be "security
|
||||
critical". However, this ends up providing a worse end user experience,
|
||||
as well as a worse developer experience.
|
||||
Earlier versions of this PEP suggested synchronising the ``hmac``,
|
||||
``hashlib`` and ``ssl`` modules entirely with their Python 3 counterparts.
|
||||
|
||||
For end users, the selective backporting approach means learning not only
|
||||
the legacy Python 2.7 API and the current Python 3 APIs, but also the
|
||||
hybrid API created by the selective backporting process. It is much
|
||||
simpler to just learn the APIs of the original Python 2.7 feature release
|
||||
and the relevant Python 3 features releases, without trying to define a new
|
||||
hybrid API that only exists in later Python 2.7 maintenance branches.
|
||||
|
||||
For developers, the main benefit of the "just align the available
|
||||
functionality with Python 3" approach is that it reduces the amount of
|
||||
design work needing when updating Python 2.7 with new security features.
|
||||
The "feature or fix?" and "security related or not?" debates are both
|
||||
handled in advance by this policy, leaving only the matter of ensuring
|
||||
that backwards compatibility is preserved as needed by adjusting the
|
||||
default behaviour in the Python 2.7 backport when appropriate.
|
||||
This approach proved too vague to build a compelling case for the exception,
|
||||
and has thus been replaced by the current more explicit proposal.
|
||||
|
||||
|
||||
Open Questions
|
||||
|
@ -601,10 +561,8 @@ Open Questions
|
|||
as support for handling any more specific security issues affecting these
|
||||
modules.
|
||||
|
||||
* I believe I've addressed all the technical and scope questions I had, or
|
||||
others raised. That just leaves the question of "Do we agree this plan
|
||||
actually makes sense, given the constraints on downstream redistributors
|
||||
that would also like to see this problem solved?" :)
|
||||
* Did I miss anything important in the switch to a more restrictive
|
||||
proposal?
|
||||
|
||||
|
||||
Disclosure of Interest
|
||||
|
@ -620,7 +578,7 @@ and cannot make any commitments on Red Hat's behalf.
|
|||
Acknowledgements
|
||||
================
|
||||
|
||||
Thanks to Christian Heimes for his recent efforts on greatly improving
|
||||
Thanks to Christian Heimes and other for their efforts in greatly improving
|
||||
Python's SSL support in the Python 3 series, and a variety of members of
|
||||
the Python community for helping me to better understand the implications
|
||||
of the default settings we provide in our SSL modules, and the impact that
|
||||
|
@ -628,20 +586,44 @@ tolerating the use of SSL infrastructure that was defined in 2010
|
|||
(Python 2.7) or even 2008 (Python 2.6) potentially has for the security
|
||||
of the web as a whole.
|
||||
|
||||
Christian and Donald Stufft also provided valuable feedback on a preliminary
|
||||
Thanks to Donald Stufft and Alex Gaynor for identifying a more limited set
|
||||
of essential security features that allowed the proposal to be made more
|
||||
fine-grained than backporting entire modules from Python 3.4 [7,8]_.
|
||||
|
||||
Christian and Donald also provided valuable feedback on a preliminary
|
||||
draft of this proposal.
|
||||
|
||||
Thanks also to participants in the python-dev mailing list threads [1,2,5]_
|
||||
Thanks also to participants in the python-dev mailing list threads
|
||||
[1,2,5,6]_
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
.. [1] https://mail.python.org/pipermail/python-dev/2014-March/133334.html
|
||||
.. [2] https://mail.python.org/pipermail/python-dev/2014-March/133389.html
|
||||
.. [3] https://mail.python.org/pipermail/python-dev/2014-March/133438.html
|
||||
.. [4] https://mail.python.org/pipermail/python-dev/2014-March/133347.html
|
||||
.. [5] https://mail.python.org/pipermail/python-dev/2014-March/133442.html
|
||||
.. [1] PEP 466 discussion (round 1)
|
||||
(https://mail.python.org/pipermail/python-dev/2014-March/133334.html)
|
||||
|
||||
.. [2] PEP 466 discussion (round 2)
|
||||
(https://mail.python.org/pipermail/python-dev/2014-March/133389.html)
|
||||
|
||||
.. [3] Marc-Andre Lemburg's OpenSSL feedback for Windows
|
||||
(https://mail.python.org/pipermail/python-dev/2014-March/133438.html)
|
||||
|
||||
.. [4] Ned Deily's OpenSSL feedback for Mac OS X
|
||||
(https://mail.python.org/pipermail/python-dev/2014-March/133347.html)
|
||||
|
||||
.. [5] PEP 466 discussion (round 3)
|
||||
(https://mail.python.org/pipermail/python-dev/2014-March/133442.html)
|
||||
|
||||
.. [6] PEP 466 discussion (round 4)
|
||||
(https://mail.python.org/pipermail/python-dev/2014-March/133472.html)
|
||||
|
||||
.. [7] Donald Stufft's recommended set of backported features
|
||||
(https://mail.python.org/pipermail/python-dev/2014-March/133500.html)
|
||||
|
||||
.. [8] Alex Gaynor's recommended set of backported features
|
||||
(https://mail.python.org/pipermail/python-dev/2014-March/133503.html)
|
||||
|
||||
|
||||
|
||||
Copyright
|
||||
|
|
Loading…
Reference in New Issue