Yes, both points are true, which is why I initially asked if this could be upgraded as a [security] fix. This is certainly a security upgrade -- preventing POODLE and actually enforcing SSL validation (which lots of folks *think* the're getting, but aren't) are huge wins on the security front. And security upgrades are generally not required to be as strictly backwards compatible. This change would preserve API compatibility, and modify behavior for the better, so I would like to help it move forward. What can I do to help resolve the testing difficulties mentioned in https://bugs.launchpad.net/ubuntu/+bug/1525507 ?
Aaron On Fri, Oct 21, 2016 at 2:08 AM Ernst Sjöstrand <ern...@gmail.com> wrote: > Hi, > > I'm all in favor of updating things like this, however these two have the > potential to break some custom scripts out there I think: > > - HTTPS certificate validation using the system's certificate store is > now enabled by default. See PEP 476 > <https://www.python.org/dev/peps/pep-0476/> for details. > - SSLv3 has been disabled by default in httplib and its reverse > dependencies due to the POODLE attack > <https://www.imperialviolet.org/2014/10/14/poodle.html>. > > Regards > //Ernst > > 2016-10-20 19:28 GMT+02:00 Aaron Gable <aga...@chromium.org>: > > Thanks! > > On Wed, Oct 19, 2016 at 11:38 PM Marc Deslauriers < > marc.deslauri...@canonical.com> wrote: > > Hi, > > On 2016-10-20 03:32 AM, Aaron Gable wrote: > > Hi Ubuntu devs, > > > > I'd like to inquire about the feasibility of including a update to the > > python2.7[1] package in Ubuntu 14.04 LTS Trusty Tahr. > > > > In particular, the package is currently pinned at Python version > 2.7.6[2] (from > > November 2.13). However, version 2.7.9[3] (from December 2014) includes > > significant network security enhancements[4] that I believe may justify > an update. > > > > Is such an update simply out of the question for an LTS release? If not, > who are > > the relevant people for me to discuss this in more depth with? > > > > Thanks for your help, > > Aaron > > > > [1] http://packages.ubuntu.com/trusty/python2.7 > > [2] https://www.python.org/download/releases/2.7.6/ > > [3] https://www.python.org/downloads/release/python-279/ > > [4] https://www.python.org/dev/peps/pep-0466/ > > > > > > The plan was to update Ubuntu 14.04 to Python 2.7.10. I'm not sure what the > current status is: > > https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955 > https://bugs.launchpad.net/ubuntu/+bug/1525507 > > > Is there anything I can do to help these bugs get triaged/prioritized and > assigned? > > +d...@canonical.com > Matthias, can you provide additional context on the background and current > progress on those bugs? > > Thanks, > Aaron > > > > > Marc. > > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > >
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
