StarMirror
/
peps
mirror of https://github.com/python/peps
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
peps/pep-0546/index.html

304 lines
19 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="color-scheme" content="light dark">
<title>PEP 546 Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7 | peps.python.org</title>
<link rel="shortcut icon" href="../_static/py.png">
<link rel="canonical" href="https://peps.python.org/pep-0546/">
<link rel="stylesheet" href="../_static/style.css" type="text/css">
<link rel="stylesheet" href="../_static/mq.css" type="text/css">
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" media="(prefers-color-scheme: light)" id="pyg-light">
<link rel="stylesheet" href="../_static/pygments_dark.css" type="text/css" media="(prefers-color-scheme: dark)" id="pyg-dark">
<link rel="alternate" type="application/rss+xml" title="Latest PEPs" href="https://peps.python.org/peps.rss">
<meta property="og:title" content='PEP 546 Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7 | peps.python.org'>
<meta property="og:type" content="website">
<meta property="og:url" content="https://peps.python.org/pep-0546/">
<meta property="og:site_name" content="Python Enhancement Proposals (PEPs)">
<meta property="og:image" content="https://peps.python.org/_static/og-image.png">
<meta property="og:image:alt" content="Python PEPs">
<meta property="og:image:width" content="200">
<meta property="og:image:height" content="200">
<meta name="description" content="Python Enhancement Proposals (PEPs)">
<meta name="theme-color" content="#3776ab">
</head>
<body>
<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
<symbol id="svg-sun-half" viewBox="0 0 24 24" pointer-events="all">
<title>Following system colour scheme</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="9"></circle>
<path d="M12 3v18m0-12l4.65-4.65M12 14.3l7.37-7.37M12 19.6l8.85-8.85"></path>
</svg>
</symbol>
<symbol id="svg-moon" viewBox="0 0 24 24" pointer-events="all">
<title>Selected dark colour scheme</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<path stroke="none" d="M0 0h24v24H0z" fill="none"></path>
<path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z"></path>
</svg>
</symbol>
<symbol id="svg-sun" viewBox="0 0 24 24" pointer-events="all">
<title>Selected light colour scheme</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="5"></circle>
<line x1="12" y1="1" x2="12" y2="3"></line>
<line x1="12" y1="21" x2="12" y2="23"></line>
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
<line x1="1" y1="12" x2="3" y2="12"></line>
<line x1="21" y1="12" x2="23" y2="12"></line>
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
</svg>
</symbol>
</svg>
<script>
document.documentElement.dataset.colour_scheme = localStorage.getItem("colour_scheme") || "auto"
</script>
<section id="pep-page-section">
<header>
<h1>Python Enhancement Proposals</h1>
<ul class="breadcrumbs">
<li><a href="https://www.python.org/" title="The Python Programming Language">Python</a> &raquo; </li>
<li><a href="../pep-0000/">PEP Index</a> &raquo; </li>
<li>PEP 546</li>
</ul>
<button id="colour-scheme-cycler" onClick="setColourScheme(nextColourScheme())">
<svg aria-hidden="true" class="colour-scheme-icon-when-auto"><use href="#svg-sun-half"></use></svg>
<svg aria-hidden="true" class="colour-scheme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg aria-hidden="true" class="colour-scheme-icon-when-light"><use href="#svg-sun"></use></svg>
<span class="visually-hidden">Toggle light / dark / auto colour theme</span>
</button>
</header>
<article>
<section id="pep-content">
<h1 class="page-title">PEP 546 Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7</h1>
<dl class="rfc2822 field-list simple">
<dt class="field-odd">Author<span class="colon">:</span></dt>
<dd class="field-odd">Victor Stinner &lt;vstinner&#32;&#97;t&#32;python.org&gt;,
Cory Benfield &lt;cory&#32;&#97;t&#32;lukasa.co.uk&gt;</dd>
<dt class="field-even">BDFL-Delegate<span class="colon">:</span></dt>
<dd class="field-even">Benjamin Peterson &lt;benjamin&#32;&#97;t&#32;python.org&gt;</dd>
<dt class="field-odd">Status<span class="colon">:</span></dt>
<dd class="field-odd"><abbr title="Formally declined and will not be accepted">Rejected</abbr></dd>
<dt class="field-even">Type<span class="colon">:</span></dt>
<dd class="field-even"><abbr title="Normative PEP with a new feature for Python, implementation change for CPython or interoperability standard for the ecosystem">Standards Track</abbr></dd>
<dt class="field-odd">Created<span class="colon">:</span></dt>
<dd class="field-odd">30-May-2017</dd>
<dt class="field-even">Python-Version<span class="colon">:</span></dt>
<dd class="field-even">2.7</dd>
<dt class="field-odd">Post-History<span class="colon">:</span></dt>
<dd class="field-odd">23-May-2017</dd>
<dt class="field-even">Resolution<span class="colon">:</span></dt>
<dd class="field-even"><a class="reference external" href="https://mail.python.org/pipermail/python-dev/2017-June/148301.html">Python-Dev message</a></dd>
</dl>
<hr class="docutils" />
<section id="contents">
<details><summary>Table of Contents</summary><ul class="simple">
<li><a class="reference internal" href="#abstract">Abstract</a></li>
<li><a class="reference internal" href="#rejection-notice">Rejection Notice</a></li>
<li><a class="reference internal" href="#rationale">Rationale</a><ul>
<li><a class="reference internal" href="#pep-543">PEP 543</a></li>
<li><a class="reference internal" href="#requests-pip-and-ensurepip">requests, pip and ensurepip</a></li>
<li><a class="reference internal" href="#other-benefits">Other Benefits</a></li>
</ul>
</li>
<li><a class="reference internal" href="#concerns">Concerns</a><ul>
<li><a class="reference internal" href="#what-about-old-python-2">What About Old Python 2?</a></li>
</ul>
</li>
<li><a class="reference internal" href="#changes">Changes</a></li>
<li><a class="reference internal" href="#links">Links</a></li>
<li><a class="reference internal" href="#discussions">Discussions</a></li>
<li><a class="reference internal" href="#copyright">Copyright</a></li>
</ul>
</details></section>
<section id="abstract">
<h2><a class="toc-backref" href="#abstract" role="doc-backlink">Abstract</a></h2>
<p>Backport the ssl.MemoryBIO and ssl.SSLObject classes from Python 3 to Python
2.7 to enhance the overall security of Python 2.7.</p>
</section>
<section id="rejection-notice">
<h2><a class="toc-backref" href="#rejection-notice" role="doc-backlink">Rejection Notice</a></h2>
<p>This PEP is rejected, see <a class="reference external" href="https://mail.python.org/pipermail/python-dev/2018-May/153760.html">Withdraw PEP 546? Backport ssl.MemoryBIO and
ssl.SSLObject to Python 2.7</a>
discussion for the rationale.</p>
</section>
<section id="rationale">
<h2><a class="toc-backref" href="#rationale" role="doc-backlink">Rationale</a></h2>
<p>While Python 2.7 is getting closer to its end-of-support date (scheduled for
2020), it is still used on production systems and the Python community is still
responsible for its security. This PEP will help facilitate the future adoption
of <a class="pep reference internal" href="../pep-0543/" title="PEP 543 A Unified TLS API for Python">PEP 543</a> across all supported Python versions, which will improve security
for both Python 2 and Python 3 users.</p>
<p>This PEP does NOT propose a general exception for backporting new
features to Python 2.7 - every new feature proposed for backporting will
still need to be justified independently. In particular, it will need to
be explained why relying on an independently updated backport on the
Python Package Index instead is not an acceptable solution.</p>
<section id="pep-543">
<h3><a class="toc-backref" href="#pep-543" role="doc-backlink">PEP 543</a></h3>
<p><a class="pep reference internal" href="../pep-0543/" title="PEP 543 A Unified TLS API for Python">PEP 543</a> defines a new TLS API for Python which would enhance Python
security by giving Python applications access to the native TLS implementations
on Windows and macOS, instead of using OpenSSL. A side effect is that it gives
access to the system trust store and certificates installed
locally by system administrators, enabling Python applications to use “company
certificates” without having to modify each application and so to correctly
validate TLS certificates (instead of having to ignore or bypass TLS
certificate validation).</p>
<p>For practical reasons, Cory Benfield would like to first implement an
I/O-less class similar to ssl.MemoryBIO and ssl.SSLObject for
<a class="pep reference internal" href="../pep-0543/" title="PEP 543 A Unified TLS API for Python">PEP 543</a>, and to provide a second class based on the first one to use
sockets or file descriptors. This design would help to structure the code
to support more backends and simplify testing and auditing, as well as
implementation. Later, optimized classes using directly sockets or file
descriptors may be added for performance.</p>
<p>While <a class="pep reference internal" href="../pep-0543/" title="PEP 543 A Unified TLS API for Python">PEP 543</a> defines an API, the PEP would only make sense if it
comes with at least one complete and good implementation. The first
implementation would ideally be based on the <code class="docutils literal notranslate"><span class="pre">ssl</span></code> module of the Python
standard library, as this is shipped to all users by default and can be used as
a fallback implementation in the absence of anything more targeted.</p>
<p>If this backport is not performed, the only baseline implementation that could
be used would be pyOpenSSL. This is problematic, however, because of the
interaction with pip, which is shipped with CPython on all supported versions.</p>
</section>
<section id="requests-pip-and-ensurepip">
<h3><a class="toc-backref" href="#requests-pip-and-ensurepip" role="doc-backlink">requests, pip and ensurepip</a></h3>
<p>There are plans afoot to look at moving Requests to a more event-loop-y
model. The Requests team does not feel at this time it is possible to abandon
support for Python 2.7, so doing so would require using either Twisted or
Tornado, or writing their own asynchronous abstraction.</p>
<p>For asynchronous code, a MemoryBIO provides substantial advantages over using a
wrapped socket. It reduces the amount of buffering that must be done, works on
IOCP-based reactors as well as select/poll based ones, and also greatly
simplifies the reactor and implementation code. For this reason, Requests is
disinclined to use a wrapped-socket-based implementation. In the absence of a
backport to Python 2.7, Requests is required to use the same solution that
Twisted does: namely, a mandatory dependency on <a class="reference external" href="https://pypi.python.org/pypi/pyOpenSSL">pyOpenSSL</a>.</p>
<p>The <a class="reference external" href="https://pip.pypa.io/">pip</a> program has to embed all its
dependencies for practical reasons: namely, that it cannot rely on any other
installation method being present. Since pip depends on requests, it means
that it would have to embed a copy of pyOpenSSL. That would imply substantial
usability pain to install pip. Currently, pip doesnt support embedding
C extensions which must be compiled on each platform and so require a C
compiler.</p>
<p>Since Python 2.7.9, Python embeds a copy of pip both for default
installation and for use in virtual environments via the new <code class="docutils literal notranslate"><span class="pre">ensurepip</span></code>
module. If pip ends up bundling PyOpenSSL, then CPython will end up
bundling PyOpenSSL. Only backporting <code class="docutils literal notranslate"><span class="pre">ssl.MemoryBIO</span></code> and
<code class="docutils literal notranslate"><span class="pre">ssl.SSLObject</span></code> would avoid the need to embed pyOpenSSL, and would fix the
bootstrap issue (python -&gt; ensurepip -&gt; pip -&gt; requests -&gt; MemoryBIO).</p>
<p>This situation is less problematic than the barrier to adoption of <a class="pep reference internal" href="../pep-0543/" title="PEP 543 A Unified TLS API for Python">PEP 543</a>, as
naturally Requests does not have to move to an event loop model before it drops
support for Python 2.7. However, it does make it painful for Requests (and pip)
to embrace both asyncio and the <code class="docutils literal notranslate"><span class="pre">async</span></code> and <code class="docutils literal notranslate"><span class="pre">await</span></code> keywords for as long as
it continues to support Python 2.</p>
</section>
<section id="other-benefits">
<h3><a class="toc-backref" href="#other-benefits" role="doc-backlink">Other Benefits</a></h3>
<p>Adopting this PEP would have other smaller ecosystem benefits. For example,
Twisted would be able to reduce its dependency on third-party C extensions.
Additionally, the PyOpenSSL development team would like to sunset the module,
and this backport would free them up to do so in a graceful manner without
leaving their users in the lurch.</p>
<p>Each of these fringe benefits, while small, also provides value to the wider
Python ecosystem.</p>
</section>
</section>
<section id="concerns">
<h2><a class="toc-backref" href="#concerns" role="doc-backlink">Concerns</a></h2>
<p>There are some concerns that people have about this backport.</p>
<section id="what-about-old-python-2">
<h3><a class="toc-backref" href="#what-about-old-python-2" role="doc-backlink">What About Old Python 2?</a></h3>
<p>A number of the Python 2 users in the world are not keeping pace with Python 2
releases. This is most usually because they are using LTS releases that are not
keeping pace with the minor releases of Python 2. These users would not be able
to use the MemoryBIO, and so projects concerned with Python 2 compatibility may
be unable to rely on the MemoryBIO being present on most of their users
systems.</p>
<p>This concern is reasonable. How critical it is depends on the likelihood of
current users of Python 2 migrating to Python 3, or just trying to use the most
recent Python 2 release. Put another way, at some point libraries will want to
drop Python 2 support: the question is only whether a significant majority of
their Python 2 users have moved to whatever Python 2 release contains this
backport before they do so.</p>
<p>Ultimately, the authors of this PEP believe that the burden of this backport is
sufficiently minimal to justify backporting despite this concern. If it turns
out that migration to newer 2.7 releases is too slow, then the value of the
work will be minimal, but if the migration to newer 2.7 releases is anything
like reasonable then there will be substantial value gained.</p>
</section>
</section>
<section id="changes">
<h2><a class="toc-backref" href="#changes" role="doc-backlink">Changes</a></h2>
<p>Add <code class="docutils literal notranslate"><span class="pre">MemoryBIO</span></code> and <code class="docutils literal notranslate"><span class="pre">SSLObject</span></code> classes to the <code class="docutils literal notranslate"><span class="pre">ssl</span></code> module of
Python 2.7.</p>
<p>The code will be backported and adapted from the master branch
(Python 3).</p>
<p>The backport also significantly reduced the size of the Python 2/Python
3 difference of the <code class="docutils literal notranslate"><span class="pre">_ssl</span></code> module, which make maintenance easier.</p>
</section>
<section id="links">
<h2><a class="toc-backref" href="#links" role="doc-backlink">Links</a></h2>
<ul class="simple">
<li><a class="pep reference internal" href="../pep-0543/" title="PEP 543 A Unified TLS API for Python">PEP 543</a></li>
<li><a class="reference external" href="https://bugs.python.org/issue22559">[backport] ssl.MemoryBIO</a>: Implementation of this PEP
written by Alex Gaynor (first version written at October 2014)</li>
<li><a class="pep reference internal" href="../pep-0466/" title="PEP 466 Network Security Enhancements for Python 2.7.x">PEP 466</a></li>
</ul>
</section>
<section id="discussions">
<h2><a class="toc-backref" href="#discussions" role="doc-backlink">Discussions</a></h2>
<ul class="simple">
<li><a class="reference external" href="https://mail.python.org/pipermail/python-dev/2017-May/147981.html">[Python-Dev] Backport ssl.MemoryBIO on Python 2.7?</a>
(May 2017)</li>
</ul>
</section>
<section id="copyright">
<h2><a class="toc-backref" href="#copyright" role="doc-backlink">Copyright</a></h2>
<p>This document has been placed in the public domain.</p>
</section>
</section>
<hr class="docutils" />
<p>Source: <a class="reference external" href="https://github.com/python/peps/blob/main/peps/pep-0546.rst">https://github.com/python/peps/blob/main/peps/pep-0546.rst</a></p>
<p>Last modified: <a class="reference external" href="https://github.com/python/peps/commits/main/peps/pep-0546.rst">2023-09-09 17:39:29 GMT</a></p>
</article>
<nav id="pep-sidebar">
<h2>Contents</h2>
<ul>
<li><a class="reference internal" href="#abstract">Abstract</a></li>
<li><a class="reference internal" href="#rejection-notice">Rejection Notice</a></li>
<li><a class="reference internal" href="#rationale">Rationale</a><ul>
<li><a class="reference internal" href="#pep-543">PEP 543</a></li>
<li><a class="reference internal" href="#requests-pip-and-ensurepip">requests, pip and ensurepip</a></li>
<li><a class="reference internal" href="#other-benefits">Other Benefits</a></li>
</ul>
</li>
<li><a class="reference internal" href="#concerns">Concerns</a><ul>
<li><a class="reference internal" href="#what-about-old-python-2">What About Old Python 2?</a></li>
</ul>
</li>
<li><a class="reference internal" href="#changes">Changes</a></li>
<li><a class="reference internal" href="#links">Links</a></li>
<li><a class="reference internal" href="#discussions">Discussions</a></li>
<li><a class="reference internal" href="#copyright">Copyright</a></li>
</ul>
<br>
<a id="source" href="https://github.com/python/peps/blob/main/peps/pep-0546.rst">Page Source (GitHub)</a>
</nav>
</section>
<script src="../_static/colour_scheme.js"></script>
<script src="../_static/wrap_tables.js"></script>
<script src="../_static/sticky_banner.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink