Status of defusedxml and recommendation in docs

This directly answers my original question, so thank you. I agree that it seems relevant and I would prefer if defusedxml continues to be the recommended way to use the standard library securely. For me, that still suggests that perhaps defusedxml should be incorporated directly into the standard library, especially given the following:

  • Core Python developers explicitly consider the standard library implementation to be inherently insecure
  • Core Python developers have specifically recommended defusedxml as the safe way to use the standard library implementations for over 10 years now

I’d also like to note that it seems oddly coincidental that the first time defusedxml has received updates in over a year occurred on the same day that I originally opened this discussion. But it’s great to see that the project is still active and I am grateful to @tiran for the continued support.

I think I’m pushing on it. But I’m just a guy with an opinion. :sweat_smile:

Thanks for clearing up my misunderstanding; obviously I’ve used the wrong terminology wrt PSF vs core developers. And I don’t mean for anything I’ve said to imply anything but gratitude to the community of volunteers and core developers who maintain Python (and defusedxml) for the world. I aspire to contribute to Python myself someday.

But just in case my misunderstanding helps illuminate an outside perspective: this recommendation has been part of the public Python documentation for over 10 years now. For the vast majority of developers and security practitioners who visit docs.python.org, a recommendation of this nature is taken as gospel truth. I think at the very least that should be part of the context for any discussion around documentation updates and the nature of support for defusedxml.

1 Like