[issue20994] Disable TLS Compression

Donald Stufft added the comment: To be specific it doesn't require any remote code execution to work, it just requires you to be able to influence the content of the responses that the client is receiving. -- ___ Python tracker

[issue20980] In multiprocessing.pool, ExceptionWithTraceback should derive from Exception

Steven Myint added the comment: This bug was introduced in #13831. -- versions: +Python 3.5 ___ Python tracker ___ ___ Python-bugs-lis

[issue20994] Disable TLS Compression

Alex Stapleton added the comment: CRIME is not universally applicable to all TLS connections and it requires some cooperation from the application to work. In fact for a Python TLS client it seems quite unlikely for an application to be vulnerable. The attack in the paper leverages an insecure

[issue20997] Wrong URL fragment identifier in search result

New submission from Baptiste Mispelon: When doing a search for "PYTHONDONTWRITEBYTECODE" on the 2.7 docs (http://docs.python.org/2/search.html?q=PYTHONDONTWRITEBYTECODE), the first (and only) search result is the following link: http://docs.python.org/2/using/cmdline.html?highlight=pythondontw

[issue20995] Use Better Default Ciphers for the SSL Module

R. David Murray added the comment: create_default_context is about best practices, though, so it seems to me it wouldn't be crazy to do it there. -- nosy: +r.david.murray ___ Python tracker ___

[issue20995] Use Better Default Ciphers for the SSL Module

Marc-Andre Lemburg added the comment: On 20.03.2014 15:11, Donald Stufft wrote: > > The compatibility of this is pretty good. The only time this should cause a > connection to *fail* is if a server is using an insecure cipher and in that > case you can re-enable it by simply passing the origin

[issue20996] Backport TLS 1.1 and 1.2 support for ssl_version

Antoine Pitrou added the comment: Two questions: - does it fix a bug in Python? - does it fix a security issue in Python? -- ___ Python tracker ___ __

[issue20996] Backport TLS 1.1 and 1.2 support for ssl_version

New submission from Donald Stufft: Python 3.4 has constants and code to enable forcing the ssl_version to TLS 1.1 or 1.2. As it stands now Python 2.7, 3.2, and 3.3 can successfully connect and will use a TLS 1.1 or 1.2 connection if it's available (new enough OpenSSL) but cannot _force_ a conn

[issue20995] Use Better Default Ciphers for the SSL Module

Antoine Pitrou added the comment: I really don't think hardcoding specific ciphers is a good idea. -- ___ Python tracker ___ ___ Pytho

[issue20995] Use Better Default Ciphers for the SSL Module

Changes by Alex Gaynor : -- nosy: +alex ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org

[issue20995] Use Better Default Ciphers for the SSL Module

New submission from Donald Stufft: As of right now the default cipher list for the ssl module is DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2, additionally on Python 3.4 when you use create_default_context() then you also additionally get HIGH:!aNULL:!RC4:!DSS. I think we should change this to t

[issue20994] Disable TLS Compression

Changes by Alex Gaynor : -- nosy: +alex ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org

[issue20994] Disable TLS Compression

Antoine Pitrou added the comment: > Do you think it'd be OK to just disable TLS Compression in 2.7 and 3.2 > without the option to turn it back on? I think that would be fine > personally. I'm not enough of a TLS expert, but it sounds ok. -- ___ Pyth

[issue20994] Disable TLS Compression

Donald Stufft added the comment: Ah, I hadn't noticed the OP_ALL thing, in 3.3+ adding OP_NO_COMPRESSION to OP_ALL would be reasonable. That would disable TLS Compression by default, still provide people the ability to disable TLS Compression if they don't use OP_ALL, and provide a way to enab

[issue20976] pyflakes: remove unused imports

R. David Murray added the comment: Sure. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python

[issue20994] Disable TLS Compression

Antoine Pitrou added the comment: It would probably be sufficient to add OP_NO_COMPRESSION to OP_ALL. -- ___ Python tracker ___ ___ Py

[issue20994] Disable TLS Compression

New submission from Donald Stufft: Since Python 3.3 the ssl module has supported the ability to opt in to disabling TLS Compression [1]. However TLS Compression has the problem that it typically leaks data through an attack known as CRIME. CRIME is specific to HTTP but the type of attack it em

[issue20986] test_startup_imports fails in test_site when executed inside venv

Changes by Brett Cannon : -- nosy: +brett.cannon ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.p

[issue20976] pyflakes: remove unused imports

Barry A. Warsaw added the comment: On Mar 20, 2014, at 01:32 PM, R. David Murray wrote: >Well, one reason is I was afraid mailman might be using them. So if you are >cool with it, that removes that objection. Nope, neither the 2.1 or 3.0 code uses those methods AFAICT. >The other reason was t

[issue20976] pyflakes: remove unused imports

STINNER Victor added the comment: Barry, David: It's up to you. I'm done with this issue, but you can drop more unused import if you want. Since I don't know well the email module, I don't want to be responsible of breaking it :-) -- ___ Python trac

[issue20993] Quicklink to PEPs is wrong.

Zachary Ware added the comment: It turns out that adding a slash to the end of the existing address was enough to get the right redirect, so I went with that instead of your patch. Either way, thanks for the report! -- assignee: -> zach.ware nosy: +zach.ware resolution: -> fixed stag

[issue20976] pyflakes: remove unused imports

R. David Murray added the comment: Well, one reason is I was afraid mailman might be using them. So if you are cool with it, that removes that objection. The other reason was that it seemed they were being used "from" utils on purpose, as a design thing. I did not take the time to do a full

[issue20993] Quicklink to PEPs is wrong.

Roundup Robot added the comment: New changeset 0d9f428f28ce by Zachary Ware in branch 'default': Issue #20993: Fix link to PEPs http://hg.python.org/devguide/rev/0d9f428f28ce -- nosy: +python-dev ___ Python tracker

[issue20218] Add methods to `pathlib.Path`: `write_text`, `read_text`, `write_bytes`, `read_bytes`

Ram Rachum added the comment: I understand Antoine. At this point, while I could easily implement the changes you ask for in your review, I'm concerned that we are spending our time adding a feature to Python that nobody really loves. What I'd really love is a pair of methods `read` and `wri

[issue20976] pyflakes: remove unused imports

Barry A. Warsaw added the comment: On Mar 20, 2014, at 08:29 AM, STINNER Victor wrote: >from quopri import decodestring as _qdecode >from email.encoders import _bencode, _qencode AFAICT, _qdecode is only used in email/messages.py, so perhaps it's better to import it there and remove it from uti

[issue20991] Issues about relative& absolute import way for Portingfrom python2.4 to python2.7

Brett Cannon added the comment: This isn't a bug so closing as invalid. As suggested on python-dev, ask on python-list or python-help for assistance. -- nosy: +brett.cannon resolution: -> invalid status: open -> closed ___ Python tracker

[issue20444] Reduce logging.config.Converting duplication of code

Roundup Robot added the comment: New changeset f27f594a96c3 by Vinay Sajip in branch '3.4': Issue #20444: Reduced code duplication. http://hg.python.org/cpython/rev/f27f594a96c3 New changeset 135aa1c4349d by Vinay Sajip in branch 'default': Closes #20444: Merged fix from 3.4. http://hg.python.or

[issue5639] Support TLS SNI extension in ssl module

STINNER Victor added the comment: Please discuss the Python 2 documentation in a new issue, this one is now closed and so hidden from the list of bugs. -- nosy: +haypo ___ Python tracker ___

[issue20686] Confusing statement about unicode strings in tutorial introduction

R. David Murray added the comment: re: file. You forgot the 'u' in front of the string: >>> f.write(u'This is a «test»\n') Traceback (most recent call last): File "", line 1, in UnicodeEncodeError: 'ascii' codec can't encode character u'\xab' in position 10: ordinal not in range(128) So yo

[issue5639] Support TLS SNI extension in ssl module

Antoine Pitrou added the comment: Understood, but that's no different from trying to connect with an old Windows or MSIE version (which I'm sure will also fail on some websites). Client-side SNI support has been added in Python 3.2, and 3.4 is now out. People who migrated their code to Python

[issue20558] ECONNRESET value in logging.config is valid with Linux [distros]; not valid with *BSD

Roundup Robot added the comment: New changeset 46fe23e000a1 by Vinay Sajip in branch '3.4': Issue #20558: Improved implementation of error handling. http://hg.python.org/cpython/rev/46fe23e000a1 -- ___ Python tracker

[issue20558] ECONNRESET value in logging.config is valid with Linux [distros]; not valid with *BSD

Roundup Robot added the comment: New changeset 9c27c9844be2 by Vinay Sajip in branch 'default': Closes #20558: Improved implementation of error handling. http://hg.python.org/cpython/rev/9c27c9844be2 -- resolution: -> fixed stage: -> committed/rejected status: open -> closed _

[issue19640] Dynamically generate the _source attribute of namedtuple to save memory)

Raymond Hettinger added the comment: The size of the _source attribute is about 2k per namedtuple class: >>> from collections import namedtuple >>> Response = namedtuple('Response', ['code', 'msg', 'compressed', 'written']) >>> len(Response._source) 2174 --

[issue13936] RFE: change bool(datetime.time(0, 0, 0)) to evaluate as True

Changes by lilydjwg : -- nosy: +lilydjwg ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.or

[issue5639] Support TLS SNI extension in ssl module

Donald Stufft added the comment: It's somewhat of a grey area of security feature. It's not directly a security feature but if you don't have SNI and you hit a site that requires it then your error message is going to be something like what people run into with PyPI[1] which is "Cannot verify

[issue20686] Confusing statement

Daniel U. Thibault added the comment: "The default encoding is normally set to ASCII [...]. When a Unicode string is printed, written to a file, or converted with str(), conversion takes place using this default encoding." >>> u"äöü" u'\xe4\xf6\xfc' Printing a Unicode string uses ASCII enco

[issue20989] XML File I/O Misbehavior with open() when the flag is 'r+'

R. David Murray added the comment: Your example doesn't seem to have anything to do with XML, nor is it sufficient to reproduce the problem. Can you provide a simple program including sample data that reproduces the behavior you are concerned with? We'll also need to know what platform you a

[issue5639] Support TLS SNI extension in ssl module

Antoine Pitrou added the comment: I'm missing some context to appreciate your message, Nick, but please note that SNI is not in itself a security feature. It just enables interoperability with TLS virtual hosts (aka. hosting several TLS-enabled domains behind a single IP and port). --

[issue20907] behavioral differences between shutil.unpack_archive and ZipFile.extractall

R. David Murray added the comment: Note that unix unzip does exactly the same thing as zipfile extractall (except that it does issue warnings), and I believe this is considered "best practice" these days for extraction tools: strip out absolute/relative path components and extract to the desti

[issue10141] SocketCan support

Roundup Robot added the comment: New changeset df427bf067d7 by Vinay Sajip in branch '3.4': Issue #10141: updated new usages of AF_CAN to be in #ifdef AF_CAN rather than #ifdef HAVE_LINUX_CAN_H to allow compilation on older Linuxes. http://hg.python.org/cpython/rev/df427bf067d7 --

[issue19640] Dynamically generate the _source attribute of namedtuple to save memory)

Changes by Raymond Hettinger : -- priority: normal -> low title: Drop _source attribute of namedtuple (waste memory) -> Dynamically generate the _source attribute of namedtuple to save memory) ___ Python tracker _

[issue19640] Drop _source attribute of namedtuple (waste memory)

Raymond Hettinger added the comment: FWIW, the "verbose" option is mentioned as outdated because the "_source" attribute was added. Also, there are real use cases, people are using the _source as writing it to a .py file so that the dynamic namedtuple generation step can be skipped on subsequ

[issue5639] Support TLS SNI extension in ssl module

Nick Coghlan added the comment: I'm currently discussing some options with Donald and Christian. While it's annoying that a developer from a certain large corporate user of Python (a director of the PSF, no less) is whining at volunteers on the internet instead of actually helping by encouraging

[issue19640] Drop _source attribute of namedtuple (waste memory)

Changes by Raymond Hettinger : -- versions: -Python 3.4 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:

[issue20986] test_startup_imports fails in test_site when executed inside venv

Vinay Sajip added the comment: It looks like the venv checking machinery in site.py was changed in 3.4 to import re conditionally if in a venv (in 3.3, it was an unconditional import). This doesn't seem wrong, so ISTM the test needs changing (it already contains exceptions for particular cases

[issue19640] Drop _source attribute of namedtuple (waste memory)

Changes by Raymond Hettinger : -- assignee: -> rhettinger ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http

[issue12384] difflib.SequenceMatcher and Match: code and doc bugs

Changes by Raymond Hettinger : -- nosy: +tim.peters ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mai

[issue14373] C implementation of functools.lru_cache

Raymond Hettinger added the comment: > Could you please make a review Raymond? Yes, I will take a look. I looking a making other changes to the lru_cache and don't want the C implementation to go it first. There are still some open questions about re-entrancy that still need to be addressed

[issue14373] C implementation of functools.lru_cache

Serhiy Storchaka added the comment: Could you please make a review Raymond? -- ___ Python tracker ___ ___ Python-bugs-list mailing lis

[issue18931] new selectors module should support devpoll on Solaris

Giampaolo Rodola' added the comment: "hg import http://bugs.python.org/file34522/devpoll3.patch"; applies cleanly for me. Not sure what else to do. -- ___ Python tracker ___ ___

[issue8743] set() operators don't work with collections.Set instances

Raymond Hettinger added the comment: Thanks for the patch update. I will look at it shortly. -- ___ Python tracker ___ ___ Python-bugs

[issue20906] Issues in Unicode HOWTO

Marc-Andre Lemburg added the comment: On 20.03.2014 11:49, Graham Wideman wrote: > >> An encoding is a mapping of characters to ordinals, nothing more or less. > > In unicode, the mapping from characters to ordinals (code points) is not the > encoding. It's the mapping from code points to byte

[issue6331] Add unicode script info to the unicode database

Martin v. Löwis added the comment: Pander: In what way would this extend or improve the current patch? -- ___ Python tracker ___ ___ Py

[issue20993] Quicklink to PEPs is wrong.

New submission from Auke Willem Oosterhoff: Quicklink[1] to PEPs points to the old page which doesn't exists anymore. Patch provided with correct link. [1]:http://docs.python.org/devguide/#quick-links -- components: Devguide files: index.patch keywords: patch messages: 214202 nosy: Oran

[issue5639] Support TLS SNI extension in ssl module

Antoine Pitrou added the comment: > Antoine, was Python 2.x a mistake? Really, can you stop arguing about this? If you want to know what Python considers features and bug fixes, then get acquainted with the development process instead of bickering. -- _

[issue5639] Support TLS SNI extension in ssl module

Dima Tisnek added the comment: Antoine, was Python 2.x a mistake? I don't think so. SNI is not a language feature, it's not even a python extension feature. It's a feature of and existing protocol and the underlying library. -- ___ Python tracker

[issue20988] Recommend ssl.create_default_context() in "Security considerations"

Antoine Pitrou added the comment: Duplicate of issue 20913. -- resolution: -> duplicate status: open -> closed superseder: -> Standard Library documentation needs SSL security best practices doc. ___ Python tracker

[issue5639] Support TLS SNI extension in ssl module

Antoine Pitrou added the comment: Nick: rather than direct users to use requests, we should direct them to use Python 3, which has had SNI support for 3+ years now. If client programs choose to remain on Python 2, it's *their* fault, not Python's. -- _

[issue20985] Add new style formatting to logging.config.fileConfig

Changes by Vinay Sajip : -- status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail

[issue20906] Issues in Unicode HOWTO

Graham Wideman added the comment: Marc-Andre: Thanks for commenting: > > 2. 1. Python string --> some other code system, such as > > ASCII, cp1250, etc. The destination code system doesn't > > necessarily have anything to do with unicode, and whole > > ranges of unicode's characters either r

[issue20985] Add new style formatting to logging.config.fileConfig

Vinay Sajip added the comment: Though not deprecated, fileConfig() will not be receiving any enhancements (just bug-fixes). It is recommended that users who need more functionality migrate to using dictConfig(), which offers more configuration functionality than fileConfig() - e.g. configuring

[issue20907] behavioral differences between shutil.unpack_archive and ZipFile.extractall

Peter Santoro added the comment: It seems clear to me that the logic in shutil._unpack_zipfile that silently skips paths that start with '/' (indicates absolute path) or that contain references to the parent directory ('..') was added to prevent malicious zip files from making potential malici

[issue20992] reading individual bytes of multiple binary files using the Python module fileinput

New submission from Tommy Carstensen: This is my first post on bugs.python.org. I hope I abide to the rules. It was suggested to me on stackoverflow.com, that I request an enhancement to the module fileinput here: http://stackoverflow.com/questions/22510123/reading-individual-bytes-of-multiple-

[issue20148] Derby: Convert the _sre module to use Argument Clinic

Serhiy Storchaka added the comment: Here is updated patch. -- versions: +Python 3.5 -Python 3.4 Added file: http://bugs.python.org/file34529/sre_clinic_2.patch ___ Python tracker ___

[issue19255] Don't "wipe" builtins at shutdown

Changes by Serhiy Storchaka : -- assignee: -> serhiy.storchaka resolution: -> fixed stage: patch review -> committed/rejected status: open -> closed ___ Python tracker ___

[issue20981] ssl doesn't build anymore with OpenSSL 0.9.7 or older: X509_check_ca

Changes by STINNER Victor : -- title: ssl doesn't build anymore with OpenSSL 0.9.7 or older -> ssl doesn't build anymore with OpenSSL 0.9.7 or older: X509_check_ca ___ Python tracker __

[issue20981] ssl doesn't build anymore with OpenSSL 0.9.7 or older

STINNER Victor added the comment: It looks like FreeBSD 6.4 includes OpenSSL 0.9.7, whereas X509_check_ca() requires OpenSSL 0.9.8 or newer. -- title: ssl doesn't build anymore with old OpenSSL versions -> ssl doesn't build anymore with OpenSSL 0.9.7 or older _

[issue20978] pyflakes: undefined names

STINNER Victor added the comment: > What about 2.7? Python 2.7 is not affected. -- ___ Python tracker ___ ___ Python-bugs-list mailin

[issue20978] pyflakes: undefined names

Serhiy Storchaka added the comment: What about 2.7? -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://

[issue20990] pyflakes: undefined names, get_context() and main(), in multiprocessing

Serhiy Storchaka added the comment: > It looks like multiprocessing.get_context() exists, but I don't see how it > is defined. It is defined by: globals().update((name, getattr(context._default_context, name)) for name in context._default_context.__all__) > For main(), it shou

[issue20978] pyflakes: undefined names

Changes by STINNER Victor : -- resolution: -> fixed status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list U

[issue20976] pyflakes: remove unused imports

Changes by STINNER Victor : -- resolution: -> fixed status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list U

[issue20976] pyflakes: remove unused imports

STINNER Victor added the comment: > I would prefer that _qdecode be left alone. Ok, I leaved these symbols unchanged in Lib/email/utils.py even if they are not used: -- from quopri import decodestring as _qdecode from email.encoders import _bencode, _qencode -- --

[issue20976] pyflakes: remove unused imports

Roundup Robot added the comment: New changeset f6f691ff27b9 by Victor Stinner in branch '3.4': Issue #20976: pyflakes: Remove unused imports http://hg.python.org/cpython/rev/f6f691ff27b9 New changeset 714002a5c1b7 by Victor Stinner in branch 'default': (Merge 3.4) Issue #20976: pyflakes: Remove

[issue12328] multiprocessing's overlapped PipeConnection on Windows

Roundup Robot added the comment: New changeset bdad874195d6 by Victor Stinner in branch '3.4': Isuse #12328, #20978: Add _winapi.WAIT_ABANDONED_0 symbol, needed by http://hg.python.org/cpython/rev/bdad874195d6 New changeset 2e4692a762d5 by Victor Stinner in branch 'default': (Merge 3.4) Issue #1

[issue20978] pyflakes: undefined names

Roundup Robot added the comment: New changeset bdad874195d6 by Victor Stinner in branch '3.4': Isuse #12328, #20978: Add _winapi.WAIT_ABANDONED_0 symbol, needed by http://hg.python.org/cpython/rev/bdad874195d6 New changeset 2e4692a762d5 by Victor Stinner in branch 'default': (Merge 3.4) Issue #1

[issue20991] Issues about relative& absolute import way for Portingfrom python2.4 to python2.7

New submission from Vatel: I just wrote a sample like this: testPy/ __init__.py client.py SoamFactory.c SoamFactory.so soamapi.py sample/testP.py export PYTHONPATH=$(TEST_LOCATION):$(TEST_LOCATION)/testPy Here's the source codes: __init__.py:

[issue20977] pyflakes: undefined "ctype" in 2 except blocks in the email module

Changes by STINNER Victor : -- title: pyflakes: undefined "ctype" in 2 except blocks -> pyflakes: undefined "ctype" in 2 except blocks in the email module ___ Python tracker ___

[issue20978] pyflakes: undefined names

STINNER Victor added the comment: I created #20990 for the undefined names in multiprocessing. -- nosy: -python-dev ___ Python tracker ___ __

[issue20990] pyflakes: undefined names, get_context() and main(), in multiprocessing

STINNER Victor added the comment: Serhiy suggested (msg214136): "Lib/multiprocessing/synchronize.py: Add at the start of the file: from . import get_context" It looks like multiprocessing.get_context() exists, but I don't see how it is defined. For main(), it should maybe be replaced with _ma

[issue20990] pyflakes: undefined names, get_context() and main(), in multiprocessing

New submission from STINNER Victor: Two warnings from pyflakes: diff -r 72889bf8531d Lib/multiprocessing/spawn.py --- a/Lib/multiprocessing/spawn.py Tue Mar 18 13:21:29 2014 +0100 +++ b/Lib/multiprocessing/spawn.py Wed Mar 19 11:49:24 2014 +0100 @@ -64,6 +64,7 @@ def freeze_support():

[issue20978] pyflakes: undefined names

Roundup Robot added the comment: New changeset 6718d00b872b by Victor Stinner in branch '3.4': Issue #20978: Remove last part of OS/2 support in distutils http://hg.python.org/cpython/rev/6718d00b872b New changeset 8de5d0809dd8 by Victor Stinner in branch '3.4': Issue #20978: pyflakes: fix undef

[issue5639] Support TLS SNI extension in ssl module

Dima Tisnek added the comment: +dstufft is absolutely right. SNI needs to be enabled on lower level than "user" python code. if it is, requests and most other http client libs get it for free without dependencies. -- ___ Python tracker

[issue20906] Issues in Unicode HOWTO

Marc-Andre Lemburg added the comment: Just to clarify a few things: On 20.03.2014 00:50, Graham Wideman wrote: > > I think part of the ambiguity problem here is that there are two subtly but > importantly different ideas here: > > 1. Python string (capable of representing any unicode text) --

[issue17188] Document 'from None' in raise statement doc.

Petri Lehtinen added the comment: The patch doesn't apply cleanly on 3.4 or default. -- ___ Python tracker ___ ___ Python-bugs-list ma

<    1   2