Hans-Christoph Steiner added the comment:
This general idea sounds nice to have, I hope it can be included.
`ctx._call_with_ctypes("SSL_CTX_set_ciphersuites"...` also sounds totally
workable to me, if that has the best security profile.
Defense in depth is important, but it is no
Hans-Christoph Steiner added the comment:
I understand the frustrations here, but this is really not a place to vent,
since that only harms everyone's interests. When a core maintainer voices
concerns or questions, they need to be addressed. This goes for any project.
I'll see if I can
Hans-Christoph Steiner added the comment:
We're working on the HTTP Transport Auth draft
(https://www.ietf.org/archive/id/draft-schinazi-httpbis-transport-auth-05.html)
in the IETF that also needs this method. I would really love to see this land,
any advice? If it is just a matter
Hans-Christoph Steiner added the comment:
I agree with all you say, but I think it is important to not rule out handling
HTTPS/SVCB DNS here. It can happen at a later stage though. What you propose
works great for the first step.
If handling the DNS is punted to some external library
New submission from Hans-Christoph Steiner :
The next version of the IETF-standardized TLS protocol is known as Encrypted
ClientHello (ECH) [1] formerly known as Encrypted SNI (ESNI). This ticket
collects information for ECH support, and tracks which APIs have to be added to
Python in order
Hans-Christoph Steiner added the comment:
> - For full reproducible builds you may have to write files to zipfiles in a
> well-defined order.
That already works fine now, we've been doing that with Python for years. But
that leaves it up to the implemented to do. I suppose zipfile
Hans-Christoph Steiner added the comment:
I just found another specific example in _open_to_write(). 0 is a valid value
for zinfo.external_attr. But this code always forces 0 to something else:
if not zinfo.external_attr:
zinfo.external_attr = 0o600 << 16 # permi
New submission from Hans-Christoph Steiner :
It is now standard for Java JARs and Android APKs (both ZIP files) to zero out
lots of the fields in the ZIP header. For example:
* each file entry has the date set to zero
* the create_system is always set to zero on all platforms
zipfile
