On 24.10.2016 20:02, Aaron Gable wrote: > Yes, both points are true, which is why I initially asked if this could be > upgraded as a [security] fix. This is certainly a security upgrade -- > preventing POODLE and actually enforcing SSL validation (which lots of > folks *think* the're getting, but aren't) are huge wins on the security > front. And security upgrades are generally not required to be as strictly > backwards compatible. This change would preserve API compatibility, and > modify behavior for the better, so I would like to help it move forward. > What can I do to help resolve the testing difficulties mentioned in > https://bugs.launchpad.net/ubuntu/+bug/1525507 ? > > Aaron > > On Fri, Oct 21, 2016 at 2:08 AM Ernst Sjöstrand <ern...@gmail.com> wrote: > >> Hi, >> >> I'm all in favor of updating things like this, however these two have the >> potential to break some custom scripts out there I think: >> >> - HTTPS certificate validation using the system's certificate store is >> now enabled by default. See PEP 476 >> <https://www.python.org/dev/peps/pep-0476/> for details. >> - SSLv3 has been disabled by default in httplib and its reverse >> dependencies due to the POODLE attack >> <https://www.imperialviolet.org/2014/10/14/poodle.html>. >> >> Regards >> //Ernst >> >> 2016-10-20 19:28 GMT+02:00 Aaron Gable <aga...@chromium.org>: >> >> Thanks! >> >> On Wed, Oct 19, 2016 at 11:38 PM Marc Deslauriers < >> marc.deslauri...@canonical.com> wrote: >> >> Hi, >> >> On 2016-10-20 03:32 AM, Aaron Gable wrote: >>> Hi Ubuntu devs, >>> >>> I'd like to inquire about the feasibility of including a update to the >>> python2.7[1] package in Ubuntu 14.04 LTS Trusty Tahr. >>> >>> In particular, the package is currently pinned at Python version >> 2.7.6[2] (from >>> November 2.13). However, version 2.7.9[3] (from December 2014) includes >>> significant network security enhancements[4] that I believe may justify >> an update. >>> >>> Is such an update simply out of the question for an LTS release? If not, >> who are >>> the relevant people for me to discuss this in more depth with? >>> >>> Thanks for your help, >>> Aaron >>> >>> [1] http://packages.ubuntu.com/trusty/python2.7 >>> [2] https://www.python.org/download/releases/2.7.6/ >>> [3] https://www.python.org/downloads/release/python-279/ >>> [4] https://www.python.org/dev/peps/pep-0466/ >>> >>> >> >> The plan was to update Ubuntu 14.04 to Python 2.7.10. I'm not sure what the >> current status is: >> >> https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955 >> https://bugs.launchpad.net/ubuntu/+bug/1525507 >> >> >> Is there anything I can do to help these bugs get triaged/prioritized and >> assigned? >> >> +d...@canonical.com >> Matthias, can you provide additional context on the background and current >> progress on those bugs?
left a comment in https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1348955 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
