<div dir="ltr"><div>Antoine, I think we are well past the point where arguments can sway positions. There clearly is no agreement on this issue. So please treat my post as a BDFL tie-breaker. I will just give you one thing to ponder -- those small/non-profit websites that can't afford proper certs are exactly the ones that will be hosting malware soon. Sorry for them, and the certificate vendors certainly aren't in it for charity, but they must fix their certificate issues (and probably improve many other sysadmin practices).<br>
<br></div>--Guido<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Sep 3, 2014 at 11:37 AM, Antoine Pitrou <span dir="ltr"><<a href="mailto:solipsis@pitrou.net" target="_blank">solipsis@pitrou.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="">On Wed, 3 Sep 2014 10:54:55 -0700<br>
Guido van Rossum <<a href="mailto:guido@python.org">guido@python.org</a>> wrote:<br>
><br>
> Let's take the plunge on this issue for the next 2.7 release (3.5 being a<br>
> done deal).<br>
<br>
</div>I'm entirely against this.<br>
<div class=""><br>
> Yes, some people will find that they have an old script<br>
> accessing an old service which breaks. Surely some of the other changes in<br>
> the same 2.7 bugfix release will also break some other scripts. People deal<br>
> with it. Probably 90% of the time it's an annoyance (but no worse than any<br>
> other minor-release upgrade -- you should test upgrades before committing<br>
> to them, and if all else fails, roll it back).<br>
<br>
</div>Python is routinely updated to bugfix releases by Linux distributions<br>
and other distribution channels, you usually have no say over what's<br>
shipped in those updates. This is not like changing the major version<br>
used for executing the script, which is normally a manual change.<br>
<div class=""><br>
> Today (working at Dropbox, a much smaller company!) I don't<br>
> even remember the last time I had to deal with such a browser<br>
> complaint -- internal services here all redirect to SSL, and not a<br>
> browser that can find fault with their certs.<br>
<br>
</div>Good for you. I still sometimes get warnings about expired certificates<br>
- and sometimes ones that don't exactly match the domain being<br>
fetched (for example, the certificate wouldn't be valid for that<br>
specific subdomain - note that CAs often charge a premium for multiple<br>
subdomains, which why small or non-profit Web sites sometimes skimp on<br>
them).<br>
<br>
You shouldn't assume that the experience of well-connected people in<br>
the Silicon Valley is representative of what people over the world<br>
encounter. Yes, where there's a lot of money and a lot of accumulated<br>
domain competence, security procedures are updated and followed more<br>
scrupulously...<br>
<div class=""><br>
> But at least some of the<br>
> time it will be a wake-up call and an expired certificate will be replaced,<br>
> resulting in more security for all.<br>
<br>
</div>Only if you are actually the one managing that certificate and the<br>
machine it's installed one...<br>
<br>
Regards<br>
<span class="HOEnZb"><font color="#888888"><br>
Antoine.<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
_______________________________________________<br>
Python-Dev mailing list<br>
<a href="mailto:Python-Dev@python.org">Python-Dev@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-dev" target="_blank">https://mail.python.org/mailman/listinfo/python-dev</a><br>
Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/guido%40python.org" target="_blank">https://mail.python.org/mailman/options/python-dev/guido%40python.org</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>--Guido van Rossum (<a href="http://python.org/~guido">python.org/~guido</a>)
</div>