On 23 Jan 2014 00:39, "Benjamin Peterson" <benja...@python.org> wrote: > > On Wed, Jan 22, 2014, at 04:15 AM, Donald Stufft wrote: > > > > On Jan 22, 2014, at 6:58 AM, Nick Coghlan <ncogh...@gmail.com> wrote: > > > > > On 22 January 2014 21:36, Donald Stufft <don...@stufft.io> wrote: > > >> On Jan 22, 2014, at 6:30 AM, M.-A. Lemburg <m...@egenix.com> wrote: > > >>> The change would also disable all services using self-signed > > >>> certificates which are very common in internal networks and > > >>> for ad-hoc setups. Many routers and other devices use self-signed > > >>> certificates when offering HTTPS services. > > >> > > >> It will just disable them by default, they can still easily be accessed > > >> you’d just need to pass the “do not verify” flag. This clearly indicates > > >> that you’re opting out of the S in HTTPS. > > > > > > You need to remember that *Python is fundamentally not an > > > application*. We don't control the interaction with the user, > > > application developers do, and every decision we make has to take that > > > into account. > > > > > > The kinds of decisions that an application like a web browser or a > > > package installer can make aren't necessarily available to a runtime. > > > We had to be cautious even with the initial hash randomisation change > > > to avoid breaking currently working applications. > > > > The same could be said for requests, it’s fundamentally not an > > application > > and can’t control the interaction with the user and yet it validates TLS > > by > > default just fine. > > Speaking of requests, I think another way to address this issue would be > import a requests-like APIs into the stdlib (something which should > happen anyway) and make that verify certificates by default. This would > address the casual urllib-type usecase of fetching files over http/ftp > etc. (I expect most people using their own protocols over raw TLS > already know to force certificate verification.)
Guido gave in principle approval for an asyncio backed requests clone as the preferred HTTP client API last year, but that's going to take someone to write and publish it if we're going to be able to include it in 3.5. Cheers, Nick.
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
