On 2018-09-06 17:03, Guido van Rossum wrote: > FWIW I'm with Antoine here -- XML is still important and I'd like us to > go the extra mile here, not just give up because the issues have been > inactive for a long time. We can't control what PyYAML does, but for the > stdlib XML code, the buck stops here, and we should do the responsible > thing.
Back in the days, I didn't push hard for the necessary fixes, because all fixes were breaking changes. After all I'd have to disable some features that people may have relied upon. The XML security stuff was my first major security topic for Python, even before SipHash24. I was more concerned not to break people's software than to keep the majority of users safe. I have changed my opinion over the last six, seven years. By the way I couldn't fix some problems in Python and our expat wrapper either. The expat parser was missing features to properly implement security measurements. I need to check if expat has been improved over the years. The topic is on the agenda for the core dev sprint. Christian _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
