On 28/02/15 03:07, Burton, Ross wrote:
IIRC the general argument is if that if you're assuming a self-signed certification is valid, you've lost so much security. We're in the middle of a development cycle so this will only impact people using or moving to 1.8.
I'm completely in favour of this change from the security point of view. However, it is likely to trip up a few people, so the change in behaviour should be prominently highlighted in the release notes. I also think that it may be a good idea to keep 2.7.3 around so that it is possible to move to new oe-core and keep the old python around. I would not be surprised if there were other differences between 2.7.3 and 2.7.9 that complicate life. My main rationale for keeping both 2.7.3 and 2.7.9 would be that 2.7.9 can not be made backwards compatible when it comes to the SSL certificates. The only fix is at the source code level for every application that uses SSL based protocols or alternatively convincing the server operators to use certificates issued by well known CAs. For my use case scenario, that's not workable because the user of the device can download packages from third party feeds, including closed source plugins. Yes, 2.7.9 is doing the right thing, but in this case doing the right thing breaks too much stuff.
I've just verified that python-imaging works for me (and works on the autobuilders), so if you can replicate the failure on demand that filing a bug would be useful.
Good to know that is is something that is specific to my setup. I'll look into it again when I have a little bit of time on my hands. Right now I've put python 2.7.3 in my local overlay and am using it to get work done.
-- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
