On Mon, 2013-06-03 at 12:48 -0400, Barry Warsaw wrote: > On Jun 03, 2013, at 09:05 AM, Ben Darnell wrote: > > >The data is analogous to the time zone database (PEP 431) in that it may > >need to be updated independently of Python's own release schedule, so we > >may want to use similar techniques to manage both. Also see certifi ( > >https://pypi.python.org/pypi/certifi), which is a copy of the Mozilla list > >in a pip-installable form. > > Right, this is very much analogous, except with the additional twist that > out-of-date certificates can pose a significant security risk. > > I'm fairly certain that Debian and Ubuntu would explicitly not use any > certificates shipped with Python, for two main reasons: 1) our security teams > already manage the certificate store distro-wide and we want to make sure that > one update fixes everything; 2) we don't want to duplicate code in multiple > packages[1].
Fedora/RHEL are in a similar position; I expect we'd rip out the bundled certs in our builds shortly after unzipping the tarball, and use a system-wide cert store (I "rm -rf" bundled libraries in our builds, to make sure we're not using them). [...snip...] _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
