On Jun 3, 2013, at 12:52 PM, Ethan Furman <et...@stoneleaf.us> wrote:
> On 06/03/2013 09:43 AM, Donald Stufft wrote: >> On Jun 3, 2013, at 5:51 AM, Antoine Pitrou wrote: >>> >>> The problem with a "slightly outdated" CA store is that it can be a >>> security risk. >> >> Tracking the Mozilla store isn't difficult. New additions can be ignored for >> currently released Pythons so we'd just >> need to watch them for blacklisting certs and roll that into a security >> update. > > Personally, I'm not interested in waiting six months for an update. And why > can't I have the new additions? > > Seems to me a better solution is to have routines that can query and update > at will (meaning the app has to call them), as well as having the bundle > (black lists as well as new additions) in the regular updates. > > -- > ~Ethan~ > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/donald%40stufft.io Personally I view that as a nice to have but if an app is willing to call hem they can easily depend on certifi and just replace the default certificates. The goal here is to get secure by default without any work on the part of the developers. If a developer knows to update the certs they can know to use certifi. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
