Wes Turner writes: > > But if it's only the already security-conscious developers and > > managers who go WTF?, and other environments don't do this by default, > > I'd consider that a "dangerous curve, slow down" sign. > > Mitigations: > > **Packaging** > > * Upgrade setuptools (distribute, zc.buildout) > * Avoid easy_install, python setup.py install, and python setup.py develop > (until it can be verified that the installed version of setuptools > contains > VerifyingHTTPSHandler [1])
Are you kidding? These *aren't* the apps that I care about breaking, and I know that the PHBs won't pay attention to what I say about fixing their sites and cert chains (believe me, I've tried, and the answer is as Paul Moore says: the users can punch the "go ahead anyway button," what's the big deal here?), they'll just deprecate Python. My question remains: > > Are you telling me that Perl, PHP, and Ruby *do* verify certs by > > default in their "batteries included" stdlibs, and developers using > > those languages have been turning that feature off in their code for, > > like, you know, well, for-EVER man!? I find that hard to believe, given that the security of the network remains broken yet there aren't warnings out to avoid these platforms. (BTW, my employer prides itself on being Matz's alma mater ... they actually might do something if Ruby was breaking things!) _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
