[Twisted-Python] twisted.protocols.telnet or twisted.conch.telnet?

glyph at divmod.com glyph at divmod.com
Sun Mar 19 19:56:00 EST 2006


On Sun, 19 Mar 2006 11:51:23 -0800, James Schend <blakeyrat at gmail.com> wrote:

>So for me, stability is the number one concern.  However, I can't
>distribute the old version of the library because of the potential for
>undiscovered security holes.

Practically speaking, the potential for security holes in the code you're discussing is vanishingly small.  If there is a hole, we will likely release a minor-version patch for people still using recent affected releases, especially if the interface has changed.  I say this because there have almost never been holes in Twisted, and when there have been, they've been spotted so fast that a minor-version release was available soon after they were introduced.

You could easily include a tiny telnet module with your library without being worried about security holes.  twisted.protocols.telnet is 159 SLOC; twisted.conch.telnet is 572 SLOC.  If you know enough to be this concerned about security issues, surely you know enough to perform an audit of that small amount of code.  (Especially when half of it, in the latter case, is simply declaration of constants.)

>So we're back to "damned if I do, damned if I don't."

Welcome to the internet ;-).

At the core of this issue is a labor problem.  If you care about the telnet module, you could offer to provide the necessary labor (or funds!) maintain it, which would accellerate conch's official replacement of twisted.protocols.telnet, simplifying this situation.  As maintainer, you could also exercise some degree of control over changes to the telnet module which would avoid breaking your application.

What you are asking for right now is a guarantee of stability from people who simply don't have the resources to provide it to you.  If we could do that for free, we probably would, but it needs a dedicated maintainer, a clear plan for future development, some documentation, etc etc.

>Anyway, I'll keep looking.  Maybe there's another library out there
>that implements what I need with a stable interface.  Thanks.

This is vanishingly unlikely.  If you find a Twisted clone (with a proper telnet implementation!) which is open source, well maintained, and well documented, please let us know where it is.




More information about the Twisted-Python mailing list