On Sun, Aug 28, 2016, at 22:42, Christian Heimes wrote: > On 2016-08-29 04:38, Ned Deily wrote: > > On Aug 28, 2016, at 19:06, Benjamin Peterson <benja...@python.org> wrote: > >> On Sun, Aug 28, 2016, at 13:40, Christian Heimes wrote: > >>> Here is the deal for 2.7 to 3.5: > >>> > >>> 1) All versions older than 0.9.8 are completely out-of-scope and no > >>> longer supported. > >> +1 > >>> 2) 0.9.8 is semi-support. Python will still compile and work with 0.9.8. > >>> However we do NOT promise that is secure to run 0.9.8. We also require a > >>> recent version. Patch level 0.9.8zc from October 2014 is reasonable > >>> because it comes with SCSV fallback (CVE-2014-3566). > >> I think we should support 0.9.8 for 2.7 and drop it for 3.6. > > > > Sounds good to me, too. I think we should also not change things for 3.5.x > > at this point, e.g. continue to support 0.9.8 there. > > > In my proto-PEP I'm talking about different levels of support: full, > build-only and unsupported. Full support means that the combination of > Python and OpenSSL versions is reasonable secure and recommended. > > On the other hand build-only support doesn't come with any security > promise. The ssl and hashlib module are source compatible with OpenSSL > 0.9.8. You can still compile Python, do https connections but they might > not be secure. It's "Warranty void" mode.
I'm not sure having such "support" is a good idea. If we're not able to support a security module securely, it's probably better if it doesn't compile at all. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
