> On Aug 29, 2014, at 5:42 PM, R. David Murray <rdmur...@bitdance.com> wrote: > > On Fri, 29 Aug 2014 17:11:35 -0400, Donald Stufft <don...@stufft.io> wrote: >> Sorry I was on my phone and didn’t get to fully reply to this. >>> On Aug 29, 2014, at 4:00 PM, M.-A. Lemburg <m...@egenix.com> wrote: >>> >>> * configuration: >>> >>> It would be good to be able to switch this on or off >>> without having to change the code, e.g. via a command >>> line switch and environment variable; perhaps even >>> controlling whether or not to raise an exception or >>> warning. >> >> I’m on the fence about this, if someone provides a certificate >> that we can validate against (which can be done without >> touching the code) then the only thing that really can’t be >> “fixed” without touching the code is if someone has a certificate >> that is otherwise invalid (expired, not yet valid, wrong hostname, >> etc). I’d say if I was voting on this particular thing I’d be -0, I’d >> rather it didn’t exist but I wouldn’t cry too much if it did. > > Especially if you want an accelerated change, there must be a way to > *easily* get back to the previous behavior, or we are going to catch a > lot of flack. There may be only 7% of public certs that are problematic, > but I'd be willing to bet you that there are more not-really-public ones > that are critical to day to day operations *somewhere* :) > > wget and curl have 'ignore validation' as a command line flag for a reason. >
Right, that’s why I’m on the fence :) On one hand, it’s going to break things for some people, (arguably they are already broken, just silently so, but we’ll leave that argument aside) and a way to get back the old behavior is good. There are already ways within the Python code itself, so that’s covered. From outside of the Python code there are ways if the certificate is untrusted but otherwise valid which are pretty easy to do. The major “gap” is when you have an actual invalid certificate due to expiration or hostname or some other such thing. On the other hand Python is not wget/curl and the people who are most likely to be the target for a “I can’t change the code but I need to get the old behavior back” are people who are likely to not be invoking Python itself but using something written in Python which happens to be using Python. IOW they might be executing “foobar” not “python -m foobar”. Like I said though, I’m personally fine either way so don’t take this as being against that particular change! --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com