On Wed, Jan 22, 2014, at 04:02 AM, Donald Stufft wrote: > > On Jan 22, 2014, at 6:45 AM, Nick Coghlan <ncogh...@gmail.com> wrote: > > > On 22 January 2014 21:21, Paul Moore <p.f.mo...@gmail.com> wrote: > >> On 22 January 2014 10:30, Donald Stufft <don...@stufft.io> wrote: > >>> Python 3.4 has made great strides in making it easier for applications > >>> to simply turn on these settings, however many people are not aware > >>> at all that they need to opt into this. Most assume that it will operate > >>> similarly to their browser, curl, wget, etc and validate by default and in > >>> the typical style of security related issues it will appear to work just > >>> fine > >>> however be grossly insecure. > >> > >> Two things: > >> > >> 1. To be "like the browser" we'd need to use the OS certificate store, > >> which isn't the case on Windows at the moment (managing those > >> certificate bundle files is most definitely *not* "like the browser" - > >> I'd have no idea how to add a self-certificate to the bundle file > >> embedded in pip, for example). > >> 2. Your proposal is that because some application authors have not > >> opted in yet, we should penalise the end users of those applications > >> by stopping them being able to use unverified https? And don't forget, > >> applications that haven't opted in will have no switch to allow > >> unverified use. That seems to be punishing the wrong people. > > > > Right, the browsers have a whole system of "click through" security to > > make the web (and corporate intranets!) still usable even when they > > only accept CA signed certs by default. With a programming language, > > there's no such interactivity, so applications just break and users > > don't know why. > > > > It's notable that even Linux distros haven't made this change in their > > system Python builds, and commercial Linux distros have raised > > paranoia to an art form (since that's a respectable chunk of what > > their users are paying for). > > I was actually talking to a Debian maintainer about the likelihood > of making this change there earlier today :) If I fail at making this > change in upstream I’ll be lobbying downstream and then we’ll > just have different behaviors based on where you get your Python > from which I think stinks.
I suppose if Debian wants to serve as a test ground to determine whether everyone is happy about having their scripts broken, that's fine, too. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
