Antoine Pitrou <pit...@free.fr> added the comment: > I'd rather recommend a different approach, where the set of CAs > doesn't need to be specified for every module that directly or > indirectly uses SSL. Instead, there should be support for a > thread-local setting of the allowable CAs, and then no API changes are > necessary.
While thread-local variables are fine in applications, I think they should be avoided in libraries (especially the stdlib). There are too many pitfalls (for example: the user decides to offload a network task to a separate thread and different SSL parameters get silently used). The API changes are quite simple, both in concept and in implementation. I think explicit is really better than implicit when it comes to security-critical parameters. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue10795> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com