Le ven. 7 sept. 2018 à 10:23, Christian Heimes <christ...@python.org> a écrit : > Back in the days, I didn't push hard for the necessary fixes, because > all fixes were breaking changes. After all I'd have to disable some > features that people may have relied upon. The XML security stuff was my > first major security topic for Python, even before SipHash24. I was more > concerned not to break people's software than to keep the majority of > users safe. I have changed my opinion over the last six, seven years.
I understood that Python 2.7.9 which required a valid TLS certificate annoyed many customers. So I don't think that it would be a good idea to enforce XML security in a minor Python release. But would it make sense to make XML stricter in Python 3.8 and add an option to opt-out? Or do we need a cycle of 1.5 year (Python 3.8) with a warning, and change the default in the next cycle? > The topic is on the agenda for the core dev sprint. Great :-) Thanks are moving on. Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
