On 22.01.2014 11:30, Donald Stufft wrote: > I would like to propose that a backwards incompatible change be made to > Python to make > verification of hostname and certificate chain the default instead of > requiring it to be opt > in. > > Python 3.4 has made great strides in making it easier for applications to > simply turn on these > settings, however many people are not aware at all that they need to opt into > this. Most assume > that it will operate similarly to their browser, curl, wget, etc and validate > by default and > in the typical style of security related issues it will appear to work just > fine however be > grossly insecure. > > In the real world “opt in security” typically translates to just plain old > insecure for the > bulk of applications/libraries. I believe that Python has a responsibility to > do the right > thing by default here and it is in the best position to do so. The > alternative requires every > Python developer who wants to access a secure resource to be educated on the > fact that they > need to flip some switch to do what most of them would expect.
Such a change would introduce considerable breakage. This would either have to be done using our usual pending deprecation, deprecation, removal dance (over three releases) or be postponed until Python 4. Note that several python.org services use CAcerts which would no longer be accessible per default following such a change. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 22 2014) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, >>> mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
