I'm in entire agreement with Donald below.
Regards Antoine. On Mon, 11 May 2015 06:23:11 -0400 Donald Stufft <don...@stufft.io> wrote: > > I don't really agree that the decision to disable TLS is an environment one, > it's really a per application decision. This is why I was against having some > sort of global off switch for all of Python because just because one > application needs it turned off doesn't mean you want it turned off for > another > Python application. You might have some script that is interacting with a > custom internal server which doesn’t have a valid TLS certificate but then you > also have pip* installed which is reaching out to PyPI and downloading code > from the internet. You might want to disable TLS verification for the first > but > you almost certainly don't want it to disable TLS verification for the second > one. > > In this regard I think that environment variables are somewhat better because > they are far easier to set per application instead of in a way that affects > every python program. Per application is the *right* scope for this setting, > especially in a system where people may or may not realize what is written in > Python and what isn't. I think it's absolutely wrong to give people a footgun > in the terms of a switch that turns off all of Python's TLS verification when > for many applications the fact they use Python is simply an implementation > detail. > > That being said, since it's not being included in Python core and it's only > some patch that some downstream's are going to apply I also don't really care > that much because it's not going to effect me and if it turns out to be a bad > idea and a footgun like I think it is, then the blame can rest on those > downstreams and not us :) > > I'm also not a fan of the environment variable either really for a lot of the > reasons you've outlined here. > > * Ignoring the fact that pip has (via requests/urllib3) worked around this > deficiency in Python and isn't going to be affected by this configuration > switch at all. > > > --- > Donald Stufft > PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
