On Fri, Jun 25, 2021 at 11:17:09AM -0700, Guido van Rossum wrote: > On Fri, Jun 25, 2021 at 8:22 AM Bluenix <[email protected]> wrote: > > > I am not fully aware of how ssl.SSLContext is used, but adding __slots__ > > would prevent this. You would see an error similar to: AttributeError: > > 'MyClass' object has no attribute 'my_attribute' > > > > That's a reasonable solution, except that it's not backwards compatible. > It's possible that there is code out there that for some reason adds > private attributes to an SSLContext instance, and using __slots__ would > break such usage. (They could perhaps fix their code by using a dummy > subclass, but that could well become a non-trivial change to their code, > depending on where they get their SSLContext instances.)
Given that this is a mildly troubling security flaw/bug/vulnerability, I think that breaking backwards-compatibility is justified. If that requires a few users to subclass SSLContext, that's a relatively small cost for fixing the bug. I don't think it is serious enough to justify it in minor releases, but we can surely fix it in 3.11 or maybe even 3.10 if we move fast? (3.10.0 candidate 1 is scheduled for August.) I have no opinion whether it should be considered serious enough to backport to older versions, but I think it justifies a small backwards- incompatible change going forward. -- Steve _______________________________________________ Python-ideas mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/PKEZL2GSXO34NYFO7AFO2SQ46ST7DPR4/ Code of Conduct: http://python.org/psf/codeofconduct/
