On 24 January 2014 03:06, Stephen J. Turnbull <step...@xemacs.org> wrote: > Are you kidding? These *aren't* the apps that I care about breaking, > and I know that the PHBs won't pay attention to what I say about > fixing their sites and cert chains (believe me, I've tried, and the > answer is as Paul Moore says: the users can punch the "go ahead anyway > button," what's the big deal here?), they'll just deprecate Python.
Surely the solution here isn't to say "well then, let's be insecure by default", it's to provide a "go ahead anyway" button. That at least lets us push the choice to be insecure by default onto someone else. The idea that an enterprise will deprecate Python instead of adding a single environment variable or one line at the top of their scripts seems hugely unlikely. As an example, Requests provides a "stop verifying certs" button, and that works fine for us. (I know that Requests is outside the stdlib and so it's not a perfect analogy, but it's serviceable.) I suspect most people who want this change don't care if users have an easy way to circumvent it, we just want to have the user/enterprise make that choice for themselves. Put another way, we want the average user to fall into a pit of success. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
