subject:"Feasibility of Python 2.7 security update in 14.04"

Re: Feasibility of Python 2.7 security update in 14.04

2016-10-30 Thread Matthias Klose

On 24.10.2016 20:02, Aaron Gable wrote:
> Yes, both points are true, which is why I initially asked if this could be
> upgraded as a [security] fix. This is certainly a security upgrade --
> preventing POODLE and actually enforcing SSL validation (which lots of
> folks *think* the're getting, but aren't) are huge wins on the security
> front. And security upgrades are generally not required to be as strictly
> backwards compatible. This change would preserve API compatibility, and
> modify behavior for the better, so I would like to help it move forward.
> What can I do to help resolve the testing difficulties mentioned in
> https://bugs.launchpad.net/ubuntu/+bug/1525507 ?
> 
> Aaron
> 
> On Fri, Oct 21, 2016 at 2:08 AM Ernst Sjöstrand  wrote:
> 
>> Hi,
>>
>> I'm all in favor of updating things like this, however these two have the
>> potential to break some custom scripts out there I think:
>>
>>- HTTPS certificate validation using the system's certificate store is
>>now enabled by default. See PEP 476
>> for details.
>>- SSLv3 has been disabled by default in httplib and its reverse
>>dependencies due to the POODLE attack
>>.
>>
>> Regards
>> //Ernst
>>
>> 2016-10-20 19:28 GMT+02:00 Aaron Gable :
>>
>> Thanks!
>>
>> On Wed, Oct 19, 2016 at 11:38 PM Marc Deslauriers <
>> marc.deslauri...@canonical.com> wrote:
>>
>> Hi,
>>
>> On 2016-10-20 03:32 AM, Aaron Gable wrote:
>>> Hi Ubuntu devs,
>>>
>>> I'd like to inquire about the feasibility of including a update to the
>>> python2.7[1] package in Ubuntu 14.04 LTS Trusty Tahr.
>>>
>>> In particular, the package is currently pinned at Python version
>> 2.7.6[2] (from
>>> November 2.13). However, version 2.7.9[3] (from December 2014) includes
>>> significant network security enhancements[4] that I believe may justify
>> an update.
>>>
>>> Is such an update simply out of the question for an LTS release? If not,
>> who are
>>> the relevant people for me to discuss this in more depth with?
>>>
>>> Thanks for your help,
>>> Aaron
>>>
>>> [1] http://packages.ubuntu.com/trusty/python2.7
>>> [2] https://www.python.org/download/releases/2.7.6/
>>> [3] https://www.python.org/downloads/release/python-279/
>>> [4] https://www.python.org/dev/peps/pep-0466/
>>>
>>>
>>
>> The plan was to update Ubuntu 14.04 to Python 2.7.10. I'm not sure what the
>> current status is:
>>
>> https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955
>> https://bugs.launchpad.net/ubuntu/+bug/1525507
>>
>>
>> Is there anything I can do to help these bugs get triaged/prioritized and
>> assigned?
>>
>> +d...@canonical.com
>> Matthias, can you provide additional context on the background and current
>> progress on those bugs?

left a comment in
https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Feasibility of Python 2.7 security update in 14.04

2016-10-24 Thread Aaron Gable

Yes, both points are true, which is why I initially asked if this could be
upgraded as a [security] fix. This is certainly a security upgrade --
preventing POODLE and actually enforcing SSL validation (which lots of
folks *think* the're getting, but aren't) are huge wins on the security
front. And security upgrades are generally not required to be as strictly
backwards compatible. This change would preserve API compatibility, and
modify behavior for the better, so I would like to help it move forward.
What can I do to help resolve the testing difficulties mentioned in
https://bugs.launchpad.net/ubuntu/+bug/1525507 ?

Aaron

On Fri, Oct 21, 2016 at 2:08 AM Ernst Sjöstrand  wrote:

> Hi,
>
> I'm all in favor of updating things like this, however these two have the
> potential to break some custom scripts out there I think:
>
>- HTTPS certificate validation using the system's certificate store is
>now enabled by default. See PEP 476
> for details.
>- SSLv3 has been disabled by default in httplib and its reverse
>dependencies due to the POODLE attack
>.
>
> Regards
> //Ernst
>
> 2016-10-20 19:28 GMT+02:00 Aaron Gable :
>
> Thanks!
>
> On Wed, Oct 19, 2016 at 11:38 PM Marc Deslauriers <
> marc.deslauri...@canonical.com> wrote:
>
> Hi,
>
> On 2016-10-20 03:32 AM, Aaron Gable wrote:
> > Hi Ubuntu devs,
> >
> > I'd like to inquire about the feasibility of including a update to the
> > python2.7[1] package in Ubuntu 14.04 LTS Trusty Tahr.
> >
> > In particular, the package is currently pinned at Python version
> 2.7.6[2] (from
> > November 2.13). However, version 2.7.9[3] (from December 2014) includes
> > significant network security enhancements[4] that I believe may justify
> an update.
> >
> > Is such an update simply out of the question for an LTS release? If not,
> who are
> > the relevant people for me to discuss this in more depth with?
> >
> > Thanks for your help,
> > Aaron
> >
> > [1] http://packages.ubuntu.com/trusty/python2.7
> > [2] https://www.python.org/download/releases/2.7.6/
> > [3] https://www.python.org/downloads/release/python-279/
> > [4] https://www.python.org/dev/peps/pep-0466/
> >
> >
>
> The plan was to update Ubuntu 14.04 to Python 2.7.10. I'm not sure what the
> current status is:
>
> https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955
> https://bugs.launchpad.net/ubuntu/+bug/1525507
>
>
> Is there anything I can do to help these bugs get triaged/prioritized and
> assigned?
>
> +d...@canonical.com
> Matthias, can you provide additional context on the background and current
> progress on those bugs?
>
> Thanks,
> Aaron
>
>
>
>
> Marc.
>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Feasibility of Python 2.7 security update in 14.04

2016-10-21 Thread Clint Byrum

Excerpts from Ernst Sjöstrand's message of 2016-10-21 11:08:07 +0200:
> Hi,
> 
> I'm all in favor of updating things like this, however these two have the
> potential to break some custom scripts out there I think:
> 
>- HTTPS certificate validation using the system's certificate store is
>now enabled by default. See PEP 476
> for details.
>- SSLv3 has been disabled by default in httplib and its reverse
>dependencies due to the POODLE attack
>.
> 

That's a good point. However, things "broken" by this were already
_extremely_ broken.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Feasibility of Python 2.7 security update in 14.04

2016-10-20 Thread Aaron Gable

Thanks!

On Wed, Oct 19, 2016 at 11:38 PM Marc Deslauriers <
marc.deslauri...@canonical.com> wrote:

> Hi,
>
> On 2016-10-20 03:32 AM, Aaron Gable wrote:
> > Hi Ubuntu devs,
> >
> > I'd like to inquire about the feasibility of including a update to the
> > python2.7[1] package in Ubuntu 14.04 LTS Trusty Tahr.
> >
> > In particular, the package is currently pinned at Python version
> 2.7.6[2] (from
> > November 2.13). However, version 2.7.9[3] (from December 2014) includes
> > significant network security enhancements[4] that I believe may justify
> an update.
> >
> > Is such an update simply out of the question for an LTS release? If not,
> who are
> > the relevant people for me to discuss this in more depth with?
> >
> > Thanks for your help,
> > Aaron
> >
> > [1] http://packages.ubuntu.com/trusty/python2.7
> > [2] https://www.python.org/download/releases/2.7.6/
> > [3] https://www.python.org/downloads/release/python-279/
> > [4] https://www.python.org/dev/peps/pep-0466/
> >
> >
>
> The plan was to update Ubuntu 14.04 to Python 2.7.10. I'm not sure what the
> current status is:
>
> https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955
> https://bugs.launchpad.net/ubuntu/+bug/1525507


Is there anything I can do to help these bugs get triaged/prioritized and
assigned?

+d...@canonical.com
Matthias, can you provide additional context on the background and current
progress on those bugs?

Thanks,
Aaron


>
>
> Marc.
>
>
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Feasibility of Python 2.7 security update in 14.04

2016-10-20 Thread Marc Deslauriers

Hi,

On 2016-10-20 03:32 AM, Aaron Gable wrote:
> Hi Ubuntu devs,
> 
> I'd like to inquire about the feasibility of including a update to the
> python2.7[1] package in Ubuntu 14.04 LTS Trusty Tahr.
> 
> In particular, the package is currently pinned at Python version 2.7.6[2] 
> (from
> November 2.13). However, version 2.7.9[3] (from December 2014) includes
> significant network security enhancements[4] that I believe may justify an 
> update.
> 
> Is such an update simply out of the question for an LTS release? If not, who 
> are
> the relevant people for me to discuss this in more depth with?
> 
> Thanks for your help,
> Aaron
> 
> [1] http://packages.ubuntu.com/trusty/python2.7
> [2] https://www.python.org/download/releases/2.7.6/
> [3] https://www.python.org/downloads/release/python-279/
> [4] https://www.python.org/dev/peps/pep-0466/
> 
> 

The plan was to update Ubuntu 14.04 to Python 2.7.10. I'm not sure what the
current status is:

https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955
https://bugs.launchpad.net/ubuntu/+bug/1525507

Marc.


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Feasibility of Python 2.7 security update in 14.04

2016-10-19 Thread Aaron Gable

Hi Ubuntu devs,

I'd like to inquire about the feasibility of including a update to the
python2.7[1] package in Ubuntu 14.04 LTS Trusty Tahr.

In particular, the package is currently pinned at Python version
2.7.6[2] (from November 2.13). However, version 2.7.9[3] (from December
2014) includes significant network security enhancements[4] that I believe
may justify an update.

Is such an update simply out of the question for an LTS release? If not,
who are the relevant people for me to discuss this in more depth with?

Thanks for your help,
Aaron

[1] http://packages.ubuntu.com/trusty/python2.7
[2] https://www.python.org/download/releases/2.7.6/
[3] https://www.python.org/downloads/release/python-279/
[4] https://www.python.org/dev/peps/pep-0466/
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Feasibility of Python 2.7 security update in 14.04

Re: Feasibility of Python 2.7 security update in 14.04

Re: Feasibility of Python 2.7 security update in 14.04

Re: Feasibility of Python 2.7 security update in 14.04

Re: Feasibility of Python 2.7 security update in 14.04

Feasibility of Python 2.7 security update in 14.04

6 matches

Site Navigation

Mail list logo

Footer information