> But if it's only the already security-conscious developers and > managers who go WTF?, and other environments don't do this by default, > I'd consider that a "dangerous curve, slow down" sign.
Mitigations: **Packaging** * Upgrade setuptools (distribute, zc.buildout) * Avoid easy_install, python setup.py install, and python setup.py develop (until it can be verified that the installed version of setuptools contains VerifyingHTTPSHandler [1]) https://bitbucket.org/pypa/setuptools/history-node/tip/setuptools/ssl_support.py * +1 for Pip install -e vcs+ssh://v...@example.org/username/pkgname@semver@egg=pkgname * +1 for Conda * +1 for OS packages **Implementation** * Python < 3.4 : https://pypi.python.org/pypi/backports.ssl_match_hostname **Awareness** * Big red warning boxes: (.. warning:: in RST): Documentation * This must not be easy to test. * http://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html -- Wes Turner On Thu, Jan 23, 2014 at 3:05 AM, Stephen J. Turnbull <step...@xemacs.org> wrote: > Donald Stufft writes: > > > As an additional side note, anecdotal evidence and what not, but > > *every* time I bring this up somewhere I get at least one reply > > that looks similar to > > https://twitter.com/ojiidotch/status/425986619879866368 > > Hey, wait a cotton-picking minute! > > Are you telling me that Perl, PHP, and Ruby *do* verify certs by > default in their "batteries included" stdlibs, and developers using > those languages have been turning that feature off in their code for, > like, you know, well, for-EVER man!? (They surely don't leave it on, > or my employer would have fixed their broken cert chain and hostnames > by now.) > > If so, that's evidence for the practicality of the proposal, and maybe > even for fast-tracking it to catch up. My employer and the Ministry > of Education, Culture, Science, and Technology be damned (and they > will be). > > But if it's only the already security-conscious developers and > managers who go WTF?, and other environments don't do this by default, > I'd consider that a "dangerous curve, slow down" sign. > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com