> On May 12, 2015, at 7:17 AM, Nick Coghlan <ncogh...@gmail.com> wrote: > > On 12 May 2015 at 21:09, Donald Stufft <don...@stufft.io> wrote: >> If you control the app you don't need to do that. All relevant api accept >> the context parameter. The shims are only useful when you don't control the >> app. So an app shipping their own python doesn't fall under that. > > I think the "bundled Python" scenario MAL is interested in is this one: > > 1. An application with a bundled CPython runtime is using the > verification defaults > 2. Upgraded the bundled Python to 2.7.9 > 3. Didn't provide new configuration settings to disable certificate > verification > 4. Is being upgraded in an environment where verifying certificates > makes the app unusable for environmental reasons related to > certificate management > > The PyRun single-file Python interpreter has a similar need, where > some apps than ran fine under 2.7.8 will need a way to disable cert > verification in 2.7.9+ on a per-application basis, *without* modifying > the applications. > > Both of those make sense to me as cases where the environment variable > based security downgrade approach is the "least bad" answer available, > which is why I eventually agreed it should be one of the > recommendations in the PEP. >
Why is without modifying the app a reasonable goal? If Python is bundled with the app then you have direct control over when that upgrade happens, so you can delay the upgrade to 2.7.9 until your application which is bundling Python has the relevant switches. This is distinctly different from a situation like downstream distributors where the version of Python being provided is being provided by a group different than the person providing the application. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
