On Jan 23, 2014, at 10:06 PM, Stephen J. Turnbull <step...@xemacs.org> wrote:
> Wes Turner writes: >>> But if it's only the already security-conscious developers and >>> managers who go WTF?, and other environments don't do this by default, >>> I'd consider that a "dangerous curve, slow down" sign. >> >> Mitigations: >> >> **Packaging** >> >> * Upgrade setuptools (distribute, zc.buildout) >> * Avoid easy_install, python setup.py install, and python setup.py develop >> (until it can be verified that the installed version of setuptools >> contains >> VerifyingHTTPSHandler [1]) > > Are you kidding? These *aren't* the apps that I care about breaking, > and I know that the PHBs won't pay attention to what I say about > fixing their sites and cert chains (believe me, I've tried, and the > answer is as Paul Moore says: the users can punch the "go ahead anyway > button," what's the big deal here?), they'll just deprecate Python. > > My question remains: > >>> Are you telling me that Perl, PHP, and Ruby *do* verify certs by >>> default in their "batteries included" stdlibs, and developers using >>> those languages have been turning that feature off in their code for, >>> like, you know, well, for-EVER man!? > > I find that hard to believe, given that the security of the network > remains broken yet there aren't warnings out to avoid these platforms. > (BTW, my employer prides itself on being Matz's alma mater ... they > actually might do something if Ruby was breaking things!) Ruby has verified the peer by default since Ruby 1.9 Go also verifies by default, I’m not aware if PHP or Perl do. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
