Showing content from http://mail.python.org/pipermail/python-dev/attachments/20180906/821c6351/attachment-0001.html below:
<div dir="ltr">FWIW I'm with Antoine here -- XML is still important and I'd like us to go the extra mile here, not just give up because the issues have been inactive for a long time. We can't control what PyYAML does, but for the stdlib XML code, the buck stops here, and we should do the responsible thing.<br></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Sep 6, 2018 at 7:49 AM Antoine Pitrou <<a href="mailto:antoine@python.org">antoine@python.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Le 06/09/2018 à 16:40, Victor Stinner a écrit :<br>
> Le jeu. 6 sept. 2018 à 16:33, Antoine Pitrou <<a href="mailto:solipsis@pitrou.net" target="_blank">solipsis@pitrou.net</a>> a écrit :<br>
>> If we consider fixing these issues to be desirable, then the issues<br>
>> should be kept open. Closing issues because no-one is working on them<br>
>> sounds a bit silly to me.<br>
> <br>
> I forgot to mention that closing these issues is my reply to Larry's<br>
> call to fix 3 security issues:<br>
> <br>
> <a href="https://mail.python.org/pipermail/python-committers/2018-August/006031.html" rel="noreferrer" target="_blank">https://mail.python.org/pipermail/python-committers/2018-August/006031.html</a><br>
> <br>
> Larry wrote "If they're really all wontfix, maybe we should mark them<br>
> as wontfix, thus giving 3.4 a sendoff worthy of its heroic stature."<br>
<br>
"wontfix" on 3.4 doesn't mean we won't fix them later, e.g. in 3.8.<br>
<br>
> For these XML issues, the security vulnerabilities can also been seen<br>
> as XML features. Loading an external DTD is part of the XML<br>
> specification, as well as entity expansion.<br>
<br>
That doesn't mean there shouldn't be any hard limits to expansion depth<br>
or breadth.<br>
<br>
Function calls are a Python feature, yet we limit the amount of<br>
recursion allowed.<br>
<br>
Regards<br>
<br>
Antoine.<br>
_______________________________________________<br>
Python-Dev mailing list<br>
<a href="mailto:Python-Dev@python.org" target="_blank">Python-Dev@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/python-dev</a><br>
Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/guido%40python.org" rel="noreferrer" target="_blank">https://mail.python.org/mailman/options/python-dev/guido%40python.org</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">--Guido van Rossum (<a href="http://python.org/~guido" target="_blank">python.org/~guido</a>)</div>
RetroSearch is an open source project built by @garambo
| Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4