lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 28 Feb 2011 15:21:39 -0500
From: Barry Warsaw <barry@...hon.org>
To: bk <chort0@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, security@...hon.org
Subject: Re: [PSRT] Python ssl handling could be better...

On Feb 28, 2011, at 10:37 AM, bk wrote:

>> I think we should be happy with the inclusion of such options in 3.2....
>
>No, I'm not going to be happy about an after-thought fix.  At least
>httplib.py should never have been put in the tree without an option to tell
>ssl.py to verify the server cert.  FFS they have client cert support, would
>it REALLY be that hard to pass the verification parameter to ssl.py?  No,
>it's just sheer ignorance of security.

Maybe I missed it, but do you have a specific patch you want us to review?

As for back porting to stable release versions, that will have to be
determined by the release managers for each version, and that can only be done
once there are actual patches we can look at.  All versions of Python prior to
3.3 are now in stable release mode, so (speaking as the Python 2.6 RM) patches
that add new features or change API just can't be accepted.  I'm skeptical,
but if there are backward compatible changes that can be added as a bug fix to
Python 3.2 or 2.7, those might be considered.

The best way to handle the situation in that case is:

* Develop a patch for Python 3.3 which includes unit tests and documentation,
  get it reviewed, and lobby the Python community for inclusion in 3.3.

* Back port the changes to a standalone library for earlier versions of Python
  and release these on the Cheeseshop.

* Evangelize these separate packages for users who want the full security of
  authenticated encrypted channels.

Please understand that these policies have been in place for many years and we
adhere to them after many hard lessons learned.

-Barry

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ