Feasibility of Python 2.7 security update in 14.04
Aaron Gable
agable at chromium.org
Mon Oct 24 18:02:53 UTC 2016
Yes, both points are true, which is why I initially asked if this could be
upgraded as a [security] fix. This is certainly a security upgrade --
preventing POODLE and actually enforcing SSL validation (which lots of
folks *think* the're getting, but aren't) are huge wins on the security
front. And security upgrades are generally not required to be as strictly
backwards compatible. This change would preserve API compatibility, and
modify behavior for the better, so I would like to help it move forward.
What can I do to help resolve the testing difficulties mentioned in
https://bugs.launchpad.net/ubuntu/+bug/1525507 ?
Aaron
On Fri, Oct 21, 2016 at 2:08 AM Ernst Sjöstrand <ernstp at gmail.com> wrote:
> Hi,
>
> I'm all in favor of updating things like this, however these two have the
> potential to break some custom scripts out there I think:
>
> - HTTPS certificate validation using the system's certificate store is
> now enabled by default. See PEP 476
> <https://www.python.org/dev/peps/pep-0476/> for details.
> - SSLv3 has been disabled by default in httplib and its reverse
> dependencies due to the POODLE attack
> <https://www.imperialviolet.org/2014/10/14/poodle.html>.
>
> Regards
> //Ernst
>
> 2016-10-20 19:28 GMT+02:00 Aaron Gable <agable at chromium.org>:
>
> Thanks!
>
> On Wed, Oct 19, 2016 at 11:38 PM Marc Deslauriers <
> marc.deslauriers at canonical.com> wrote:
>
> Hi,
>
> On 2016-10-20 03:32 AM, Aaron Gable wrote:
> > Hi Ubuntu devs,
> >
> > I'd like to inquire about the feasibility of including a update to the
> > python2.7[1] package in Ubuntu 14.04 LTS Trusty Tahr.
> >
> > In particular, the package is currently pinned at Python version
> 2.7.6[2] (from
> > November 2.13). However, version 2.7.9[3] (from December 2014) includes
> > significant network security enhancements[4] that I believe may justify
> an update.
> >
> > Is such an update simply out of the question for an LTS release? If not,
> who are
> > the relevant people for me to discuss this in more depth with?
> >
> > Thanks for your help,
> > Aaron
> >
> > [1] http://packages.ubuntu.com/trusty/python2.7
> > [2] https://www.python.org/download/releases/2.7.6/
> > [3] https://www.python.org/downloads/release/python-279/
> > [4] https://www.python.org/dev/peps/pep-0466/
> >
> >
>
> The plan was to update Ubuntu 14.04 to Python 2.7.10. I'm not sure what the
> current status is:
>
> https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955
> https://bugs.launchpad.net/ubuntu/+bug/1525507
>
>
> Is there anything I can do to help these bugs get triaged/prioritized and
> assigned?
>
> +doko at canonical.com
> Matthias, can you provide additional context on the background and current
> progress on those bugs?
>
> Thanks,
> Aaron
>
>
>
>
> Marc.
>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20161024/0119123a/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list