[python-committers] "Gratuitous"? incompatibilities in the "fix only" releases
Terry Reedy
tjreedy at udel.edu
Wed Jul 29 19:41:09 CEST 2015
More information about the python-committers mailing list
Wed Jul 29 19:41:09 CEST 2015
- Previous message (by thread): [python-committers] "Gratuitous"? incompatibilities in the "fix only" releases
- Next message (by thread): [python-committers] "Gratuitous"? incompatibilities in the "fix only" releases
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 7/29/2015 1:01 PM, Robert Collins wrote: > On 30 July 2015 at 04:50, Guido van Rossum <guido at python.org> wrote: >> I believe that in this particular case, the bug was fixed (by tightening the >> requirements for headers) because the bug can lead to security >> vulnerabilities. I think you can find more by Googling for keywords like >> "http header injection". The more recent Python 2.7 bugfix releases have >> specific exemptions from the backwards compatibility requirements for >> security fixes -- because their lifespan will still be many years (EOL of >> 2.7 is summer 2020). > > Yeah - this is a security issue, and unfortunately its one that can > break programs [or rather, expose how they were broken already at an > earlier and less susceptible point]. > > As a new committer, I'd like to double check my understanding of the policy: > > https://docs.python.org/devguide/devcycle.html#maintenance-branches > "... > The only changes allowed to occur in a maintenance branch without > debate are bug fixes. Also, a general rule for maintenance branches is > that compatibility must not be broken at any point between sibling > minor releases (3.4.1, 3.4.2, etc.). Since bug fixes break code that depends on the bug (as happened in this case), the second rule appears to be written too strongly. It really needs a short paragraph. Bug fixes should only break code depending on the bug. Bug fixes must not change existing non-buggy features and should not introduce new features. Non-security bug fixes that break too much code deemed to be reasonable are sometimes deferred to the next release. > For both rules, only rare > exceptions are accepted and must be discussed first." > > Where should these things be discussed? I've been discussing with > other committers on the issues in the issue tracker. Is this > sufficient? What is the social norm? Feature additions like adding a new parameter to fix a bug should be discussed on pydev. For instance, difflib.SequenceMatcher gained the autojunk parameter in 2.7.1. I believe the pydev discussion included "Is the issue a bug?" (yes) and "Does it need fixing in the current release?" (yes, it generated multiple bug reports). I believe being early in the long 2.7.x series and the last change to fix in 2.x played a role. Terry
- Previous message (by thread): [python-committers] "Gratuitous"? incompatibilities in the "fix only" releases
- Next message (by thread): [python-committers] "Gratuitous"? incompatibilities in the "fix only" releases
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the python-committers mailing list