On 09/03/2014 05:00 PM, Ethan Furman wrote:
On 09/03/2014 04:36 PM, Antoine Pitrou wrote:
On Thu, 4 Sep 2014 09:19:56 +1000
Nick Coghlan <ncogh...@gmail.com> wrote:
Python is routinely updated to bugfix releases by Linux distributions
and other distribution channels, you usually have no say over what's
shipped in those updates. This is not like changing the major version
used for executing the script, which is normally a manual change.
We can potentially deal with the more conservative part of the user base on
the redistributor side - so long as the PEP says it's OK for us to not
apply this particular change if we deem it appropriate to do so.
So people would believe python.org that they would get HTTPS cert
validation by default, but their upstream distributor would have
disabled it for them? That's even worse...
I agree. If the vendors don't want to have validation by default, they should
stick with 2.7.8.
If good argument can be made for why we should make validation by default optional, then that point should be well made
in Python's release notes, and some easy programmatic way to tell if validation is on or off (which may just be more
docs saying call SSLContext and examine the results: xxx means you're validating, yyy means you are not).
--
~Ethan~
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
