On 30 July 2015 at 04:50, Guido van Rossum <gu...@python.org> wrote: > I believe that in this particular case, the bug was fixed (by tightening the > requirements for headers) because the bug can lead to security > vulnerabilities. I think you can find more by Googling for keywords like > "http header injection". The more recent Python 2.7 bugfix releases have > specific exemptions from the backwards compatibility requirements for > security fixes -- because their lifespan will still be many years (EOL of > 2.7 is summer 2020).
Yeah - this is a security issue, and unfortunately its one that can break programs [or rather, expose how they were broken already at an earlier and less susceptible point]. As a new committer, I'd like to double check my understanding of the policy: https://docs.python.org/devguide/devcycle.html#maintenance-branches "... The only changes allowed to occur in a maintenance branch without debate are bug fixes. Also, a general rule for maintenance branches is that compatibility must not be broken at any point between sibling minor releases (3.4.1, 3.4.2, etc.). For both rules, only rare exceptions are accepted and must be discussed first." Where should these things be discussed? I've been discussing with other committers on the issues in the issue tracker. Is this sufficient? What is the social norm? https://docs.python.org/devguide/devcycle.html#security-branches "...The only changes made to a security branch are those fixing issues exploitable by attackers such as crashes, privilege escalation and, optionally, other issues such as denial of service attacks. Any other changes are not considered a security risk and thus not backported to a security branch." This page doesn't specify the exception for 2.7, and by my poor reading of it the http issue wouldn't pass muster - but I think it was appropriate to apply. So I'm confused. Help :). -Rob _______________________________________________ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers