diff --git a/pep-0546.txt b/pep-0546.txt new file mode 100644 index 00000000000..38e2fbc6221 --- /dev/null +++ b/pep-0546.txt @@ -0,0 +1,141 @@ +PEP: 546 +Title: Backport ssl.MemoryBIO and ssl.SSLObject to Python 2.7 +Version: $Revision$ +Last-Modified: $Date$ +Author: Victor Stinner , +Status: Draft +Type: Standards Track +Content-Type: text/x-rst +Created: 30-May-2017 + + +Abstract +======== + +Backport ssl.MemoryBIO and ssl.SSLObject classes from Python 3 to Python +2.7 to enhance the overall security of Python 2.7. + + +Rationale +========= + +While Python 2.7 is getting closer to its end-of-line (scheduled for +2020), it is still used on production and the Python community is still +responsible for its security. And to facilitate the future adoption of +:pep:`543`, which will improve security for Python3 users. + +This PEP does NOT propose a general exception for backporting new +features to Python 2.7 - every new feature proposed for backporting will +still need to be justified independently. In particular, it will need to +be explained why relying on an independently updated backport on the +Python Package Index instead is not an acceptable solution. + + +PEP 543 +------- + +The :pep:`543` defines a new TLS API for Python which would enhance the +Python security: give access to the root certificate authorities on +Windows and macOS by using native APIs, instead of OpenSSL. A side effect +is that it gives access to certificates installed locally by system +administrators, allowing to use "company certificates" without having to +modify each Python application and so validate correctly TLS +certificates (instead of having to ignore or bypass the TLS certificate +validation). + +For practical reasons, Cory Benfield would like to first implement an +I/O-less class similar to ssl.MemoryBIO and ssl.SSLObject for the +:pep:`543`, and provide a second class based on the first one to use +sockets or file descriptors. This design would help to structure the code +to support more backends and simplify testing and auditing. Later, +optimized classes using directly sockets or file descriptors may be +added for performance. + +While the :pep:`543` defines an API, the PEP would only make sense if it +comes with at least one complete and good implementation. The first +implementation will be based on the ``ssl`` module of the Python +standard library. + +In a perfect world, all applications would already run on Python 3 since +Python 3.0 was released. In practice, many applications still run on +production on top of Python 2.7. To make the new TLS API more widely +used, it should be usable on all Python versions currently supported: +Python 2.7, 3.5, 3.6. Otherwise, some applications would have to wait +until they drop Python 2 support to be able to use the new TLS API. + +Delaying adoption of the PEP 543 API means delaying the adoption for +security improvements for Python 3 users as well. + + +requests, pip and ensurepip +--------------------------- + +There are plans afoot to look at moving Requests to a more event-loop-y +model, and doing so basically mandates a MemoryBIO. In the absence of a +Python 2.7 backport, Requests is required to basically use the same +solution that Twisted currently does: namely, a mandatory dependency on +`pyOpenSSL `_. + +The `pip `_ program has to embed all its +dependencies for pratical reason. Since pip depends on requests, it means +that it would have to embed a copy of pyOpenSSL. That would imply +usability pain to install pip. Currently, pip doesn't support embedding +C extensions which must be compiled on each platform and so require a C +compiler. + +Since Python 2.7.9, Python embeds a copy of pip both for default +installation and for use in virtual environments: the new ``ensurepip`` +module. If pip ends up bundling PyOpenSSL, then Python will end up +bundling PyOpenSSL. Only backporting ``ssl.MemoryBIO`` and +``ssl.SSLObject`` would avoid to have to embed pyOpenSSL to only include +the strict minimum features required by requests and fix the bootstrap +issue (python -> ensurepip -> pip -> requests -> MemoryBIO). + + +Changes +======= + +Add ``MemoryBIO`` and ``SSLObject`` classes to the ``ssl`` module of +Python 2.7. + +The code will be backported and adapted from the master branch +(Python 3). + +The backport also significantly reduced the size of the Python 2/Python +3 difference of the ``_ssl`` module, which make maintenance easier. + + +Links +===== + +* :pep:`543` +* `[backport] ssl.MemoryBIO + `_: Implementation of this PEP + written by Alex Gaynor (first version written at October 2014) +* :pep:`466` + + +Discussions +=========== + +* `[Python-Dev] Backport ssl.MemoryBIO on Python 2.7? + `_ + (May 2017) + + +Copyright +========= + +This document has been placed in the public domain. + + + + +.. + Local Variables: + mode: indented-text + indent-tabs-mode: nil + sentence-end-double-space: t + fill-column: 70 + coding: utf-8 + End: