Re: [Python-Dev] Issue #15014 - SMTP AUTH initial-response (beta exception requested)
On 8 July 2015 at 05:12, Barry Warsaw wrote: > On Jul 07, 2015, at 02:53 PM, Terry Reedy wrote: > >>To me, the main question is whether you are sure that your proposal is the >>right fix, or whether you might reasonably do something different (with the >>new arguments) if changes were reverted for the present and you two took more >>time to think about the problem. My impression is that the latter is >>unlikely because the problem is inherent in the new auth methods. > > I generally like the approach that initially added with issue #15014. This is > a subtle corner of the RFC and an unexpected regression from Python 3.4. That strikes me as just the kind of not-quite-as-finished-as-we-thought case that the beta cycle is designed to flush out, so the minor further enhancement sounds like a good idea to me. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 493: Redistributor guidance for Python 2.7 HTTPS
On 8 July 2015 at 00:42, Antoine Pitrou wrote: > In this case, though, I was a bit miffed since I didn't notice that > PEP appearing on python-ideas (or perhaps I already forget discussing > it?), which made me frustrated that *perhaps* with less pointless > drifting I would have seen it. Being one of the principal maintainers > of the ssl module I was definitely interested on giving my opinion. And it turns out that omission is entirely my fault - I *thought* I'd previously started a python-ideas thread, but instead we only filed a tracker issue, and I *didn't* add everyone handling ssl module maintenance to the nosy list for it. If I'd added a proper references section to the PEP I would have noticed there *wasn't* a previous thread on it and I was misremembering. My apologies for the confusion. I'll add a proper references section to the PEP (which will also call out the Red Hat CVE thread more clearly) in addition to fixing the example code to respect the "ignore_environment" flag. As Guido suggested, would you be willing to take on the BDFL-Delegate task for this? It definitely seems appropriate given the errors and omissions you've already found :) Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] cpython: Tighten-up code in the set iterator to use an entry pointer rather than
On Wed, Jul 8, 2015 at 10:19 PM, Serhiy Storchaka wrote: > On 08.07.15 01:45, Raymond Hettinger wrote: > >> P.S. I don't think python-dev post was necessary or helpful (and I still >> haven't had a chance to read the whole thread). It would have been >> sufficient to assign the tracker entry back to me. >> > > Well, I'll open new issue and assign it to you for every your commit that > looks questionable to me. > That sounds like a fine solution, and a good conclusion of the thread. -- --Guido van Rossum (python.org/~guido) ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 493: Redistributor guidance for Python 2.7 HTTPS
On Thu, 9 Jul 2015 20:57:33 +1000 Nick Coghlan wrote: > > As Guido suggested, would you be willing to take on the BDFL-Delegate > task for this? It definitely seems appropriate given the errors and > omissions you've already found :) Fine. I'll take a look again and come up with questions, if I have any. Regards Antoine. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] OpenSSL Security Advisory [9 Jul 2015]
Hi, this just came in. According to Zachary all Windows builds use 1.0.2c. The version is vulnerable to a critical bug in the CA validation code of OpenSSL. The bug can be abused to turn any valid server certificate into a CA cert. We should consider a security release of Python ASAP. Alternative chains certificate forgery (CVE-2015-1793) == Severity: High During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue will impact any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication. This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project. Note As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade. References == URL for this Security Advisory: https://www.openssl.org/news/secadv_20150709.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] OpenSSL Security Advisory [9 Jul 2015]
On 2015-07-09 15:29, Christian Heimes wrote: > Hi, > > this just came in. According to Zachary all Windows builds use 1.0.2c. > The version is vulnerable to a critical bug in the CA validation code of > OpenSSL. The bug can be abused to turn any valid server certificate into > a CA cert. > > We should consider a security release of Python ASAP. Good news! I was too fast and it looks like we are mostly safe. 1.0.2c is only used in 3.5b3. The production builds are either using 1.0.2a or 1.0.1j. Christian ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Issue #15014 - SMTP AUTH initial-response (beta exception requested)
On Jul 09, 2015, at 08:47 PM, Nick Coghlan wrote: >That strikes me as just the kind of >not-quite-as-finished-as-we-thought case that the beta cycle is >designed to flush out, so the minor further enhancement sounds like a >good idea to me. Cool. RDM provided some good feedback in the review, so I'll be committing this at some point today. Cheers, -Barry pgpnvCoLggNc_.pgp Description: OpenPGP digital signature ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] cpython: Tighten-up code in the set iterator to use an entry pointer rather than
On Thu, Jul 9, 2015 at 7:41 AM, Guido van Rossum wrote: > On Wed, Jul 8, 2015 at 10:19 PM, Serhiy Storchaka > wrote: >> >> On 08.07.15 01:45, Raymond Hettinger wrote: >>> >>> P.S. I don't think python-dev post was necessary or helpful (and I still >>> haven't had a chance to read the whole thread). It would have been >>> sufficient to assign the tracker entry back to me. >> >> >> Well, I'll open new issue and assign it to you for every your commit that >> looks questionable to me. > > > That sounds like a fine solution, and a good conclusion of the thread. I don't have a very strong opinion on the solution, but should the dev guide be updated to clarify the feelings expressed about the mailing lists in this thread? My interpretation of the dev guide always left me with the feeling that following python-dev was expected for Python core devs: * https://docs.python.org/devguide/communication.html#communication * https://docs.python.org/devguide/coredev.html#mailing-lists -- Meador ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] modules dependencies issues
Hi, I use pip to install modules and setuptools to install dependencies, and generate a console_script using the entry_point parameter of setup. Here is the issue : my current sources depend on modules, let's say A=1.0, B=1.0, C=2.0. And C depends on B=1.1 I have no problem with using pip to install dependencies. However setuptools complain that 2 versions are conflicting : Installed /private/tmp/test/my-module Processing dependencies for my-module==0.0.1 error: B 1.0 is installed but B==1.1 is required by set(['C']) Forcing my-module to use B=1.1 fixes the issue. However it's just a sample and my code is using a lot of modules that use other shared modules too. Is there a way to let dependencies use their own version of the modules they need while the current use another version ? Currently every time we need to upgrade one module, we need to make sure dependencies use this new version too :( Thanks -- Cyril SCETBON ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] modules dependencies issues
On 07/09/2015 10:34 AM, Cyril Scetbon wrote: [...] Greetings! You have found the gathering place of the Python Developers -- as in, we discuss the development /of/ Python, not developing /with/ Python. You should ask your question on python-list, and perhaps on distutils-sig. Good luck! -- ~Ethan~ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] modules dependencies issues
Okay I'll try. Thanks > On Jul 9, 2015, at 20:24, Ethan Furman wrote: > > On 07/09/2015 10:34 AM, Cyril Scetbon wrote: > > [...] > > Greetings! > > You have found the gathering place of the Python Developers -- as in, we > discuss the development /of/ Python, not developing /with/ Python. > > You should ask your question on python-list, and perhaps on distutils-sig. > > Good luck! > > -- > ~Ethan~ > ___ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/cyril.scetbon%40free.fr ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
