> But if it's only the already security-conscious developers and
> managers who go WTF?, and other environments don't do this by default,
> I'd consider that a "dangerous curve, slow down" sign.
Mitigations:
**Packaging**
* Upgrade setuptools (distribute, zc.buildout)
* Avoid easy_install, python setup.py install, and python setup.py develop
(until it can be verified that the installed version of setuptools contains
VerifyingHTTPSHandler [1])
https://bitbucket.org/pypa/setuptools/history-node/tip/setuptools/ssl_support.py
* +1 for Pip install -e
vcs+ssh://v...@example.org/username/pkgname@semver@egg=pkgname
* +1 for Conda
* +1 for OS packages
**Implementation**
* Python < 3.4 : https://pypi.python.org/pypi/backports.ssl_match_hostname
**Awareness**
* Big red warning boxes: (.. warning:: in RST): Documentation
* This must not be easy to test.
*
http://www.cvedetails.com/vulnerability-list/vendor_id-10210/product_id-18230/Python-Python.html
--
Wes Turner
On Thu, Jan 23, 2014 at 3:05 AM, Stephen J. Turnbull <step...@xemacs.org> wrote:
> Donald Stufft writes:
>
> > As an additional side note, anecdotal evidence and what not, but
> > *every* time I bring this up somewhere I get at least one reply
> > that looks similar to
> > https://twitter.com/ojiidotch/status/425986619879866368
>
> Hey, wait a cotton-picking minute!
>
> Are you telling me that Perl, PHP, and Ruby *do* verify certs by
> default in their "batteries included" stdlibs, and developers using
> those languages have been turning that feature off in their code for,
> like, you know, well, for-EVER man!? (They surely don't leave it on,
> or my employer would have fixed their broken cert chain and hostnames
> by now.)
>
> If so, that's evidence for the practicality of the proposal, and maybe
> even for fast-tracking it to catch up. My employer and the Ministry
> of Education, Culture, Science, and Technology be damned (and they
> will be).
>
> But if it's only the already security-conscious developers and
> managers who go WTF?, and other environments don't do this by default,
> I'd consider that a "dangerous curve, slow down" sign.
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/wes.turner%40gmail.com
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
