On Jan 23, 2014, at 10:09 PM, Donald Stufft <don...@stufft.io> wrote:
> > On Jan 23, 2014, at 10:06 PM, Stephen J. Turnbull <step...@xemacs.org> wrote: > >> Wes Turner writes: >>>> But if it's only the already security-conscious developers and >>>> managers who go WTF?, and other environments don't do this by default, >>>> I'd consider that a "dangerous curve, slow down" sign. >>> >>> Mitigations: >>> >>> **Packaging** >>> >>> * Upgrade setuptools (distribute, zc.buildout) >>> * Avoid easy_install, python setup.py install, and python setup.py develop >>> (until it can be verified that the installed version of setuptools >>> contains >>> VerifyingHTTPSHandler [1]) >> >> Are you kidding? These *aren't* the apps that I care about breaking, >> and I know that the PHBs won't pay attention to what I say about >> fixing their sites and cert chains (believe me, I've tried, and the >> answer is as Paul Moore says: the users can punch the "go ahead anyway >> button," what's the big deal here?), they'll just deprecate Python. >> >> My question remains: >> >>>> Are you telling me that Perl, PHP, and Ruby *do* verify certs by >>>> default in their "batteries included" stdlibs, and developers using >>>> those languages have been turning that feature off in their code for, >>>> like, you know, well, for-EVER man!? >> >> I find that hard to believe, given that the security of the network >> remains broken yet there aren't warnings out to avoid these platforms. >> (BTW, my employer prides itself on being Matz's alma mater ... they >> actually might do something if Ruby was breaking things!) > > Ruby has verified the peer by default since Ruby 1.9 > > Go also verifies by default, I’m not aware if PHP or Perl do. Oh, Node.js also verifies by default, PHP apparently does not. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
