PEP 466: restore some rationale lost in final edits
This commit is contained in:
Nick Coghlan
parent
5ae2360963
commit
ceadb0f33c
41
pep-0466.txt
41
pep-0466.txt
|
|
@ -322,6 +322,47 @@ deliberately designed such that it is potentially suitable for Red Hat
|
|||
Enterprise Linux and its downstream derivatives.
|
||||
|
||||
|
||||
Why these particular changes?
|
||||
-----------------------------
|
||||
|
||||
The key requirement for a feature to be considered for inclusion in this
|
||||
proposal was that it must have security implications *beyond* the specific
|
||||
application that is written in Python and the system that application is
|
||||
running on. Thus the focus on network security protocols, password storage
|
||||
and related cryptographic infrastructure - Python is a popular choice for
|
||||
the development of web services and clients, and thus the capabilities of
|
||||
widely used Python versions have implications for the security design of
|
||||
other services that may themselves be using newer versions of Python or
|
||||
other development languages, but need to interoperate with clients or
|
||||
servers written using older versions of Python.
|
||||
|
||||
The intent behind this requirement was to minimise any impact that the
|
||||
introduction of this policy may have on the stability and compatibility of
|
||||
maintenance releases, while still addressing some key security concerns
|
||||
relating to the particular aspects of Python 2.7. It would be thoroughly
|
||||
counterproductive if end users became as cautious about updating to new
|
||||
Python 2.7 maintenance releases as they are about updating to new feature
|
||||
releases within the same release series.
|
||||
|
||||
The ``ssl`` module changes are included in this proposal to bring the
|
||||
Python 2 series up to date with the past 4 years of evolution in network
|
||||
security standards, and make it easier for those standards to be broadly
|
||||
adopted in both servers and clients. Similarly the hash algorithm
|
||||
availability indicators in ``hashlib`` are included to make it easier for
|
||||
applications to detect and employ appropriate hash definitions across both
|
||||
Python 2 and 3.
|
||||
|
||||
The ``hmac.compare_digest()`` and ``hashlib.pbkdf2_hmac()`` are included to
|
||||
help lower the barriers to secure password storage and checking in Python 2
|
||||
server applications.
|
||||
|
||||
The os.urandom change has been included in this proposal to help encourage
|
||||
users to leave the task of providing high quality random numbers for
|
||||
cryptographic use case to operating system vendors (as this is a genuinely
|
||||
hard problem, and operating system developers have more tools available to
|
||||
deal with it than Python application runtimes)
|
||||
|
||||
|
||||
Rejected alternative: just advise developers to migrate to Python 3
|
||||
-------------------------------------------------------------------
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue