On Jun 03, 2013, at 09:05 AM, Ben Darnell wrote: >The data is analogous to the time zone database (PEP 431) in that it may >need to be updated independently of Python's own release schedule, so we >may want to use similar techniques to manage both. Also see certifi ( >https://pypi.python.org/pypi/certifi), which is a copy of the Mozilla list >in a pip-installable form.
Right, this is very much analogous, except with the additional twist that out-of-date certificates can pose a significant security risk. I'm fairly certain that Debian and Ubuntu would explicitly not use any certificates shipped with Python, for two main reasons: 1) our security teams already manage the certificate store distro-wide and we want to make sure that one update fixes everything; 2) we don't want to duplicate code in multiple packages[1]. So *if* Python decides to do this (and I'm -0, but from a decidedly Linux-distro bias), it must be easily disabled. I generally like the way PEP 431 handles the tzdata, so I think we should do the same here. -Barry [1] This gives us headaches in upstreams like coverage caused by bundling externally available JavaScript libraries, or like urllib3 bundling chardet and urllib3, not to mention their own certificates yet again. :( _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
