<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 8, 2014, at 6:43 PM, Nick Coghlan <<a href="mailto:ncoghlan@gmail.com" class="">ncoghlan@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><p dir="ltr" class=""><br class="">
On 9 Sep 2014 08:30, "Donald Stufft" <<a href="mailto:donald@stufft.io" class="">donald@stufft.io</a>> wrote:<br class="">
><br class="">
> If someone wants to do this, can’t they write their own 6 line function?</p><p dir="ltr" class="">Unfortunately not, as the domain knowledge required to know what those six lines should look like is significant.</p><p dir="ltr" class="">Keeping the old unsafe behaviour around with a more obviously dangerous name is much simpler than explaining to people "Here, copy this chunk of code you don't understand".</p><p dir="ltr" class="">If we were starting with a blank slate there's no way we'd offer such a thing, but as Jim pointed out, we do want to make it relatively easy for Standard Operating Environment maintainers to hack around it if necessary.</p><p dir="ltr" class="">Cheers,<br class="">
Nick.</p><p dir="ltr" class="">><br class="">
> import ssl<br class="">
> import urllib.request<br class="">
> _real_urlopen = urllib.request.urlopen<br class="">
> def _unverified(*args, **kwargs):<br class="">
> if not kwargs.keys() & {“context”, “cafile”, “capath”, “cadefault”}:<br class="">
> ctx = ssl.create_default_context()<br class="">
> ctx.verify_mode = CERT_NONE<br class="">
> ctx.verify_hostname = False<br class="">
> kwargs[“context”] = ctx<br class="">
> return _real_urlopen(*args, **kwargs)<br class="">
><br class="">
> ---<br class="">
> Donald Stufft<br class="">
> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA<br class="">
><br class="">
</p>
</div></blockquote></div><div class=""><br class=""></div><div class="">Why isn’t documentation with appropriate red warnings a suitable place if we really must have it? That sounds like a much better solution that some weird function people monkeypatch. It gives them more control over things (maybe they have a valid certificate chain, but an invalid host name!), it’ll work across all Python implementations, and most importantly, it gives us a place where there is some long form location to be like “yea you really probably don’t want to be doing this” in big red letters.</div><div class=""><br class=""></div><div class="">Overall I’m -1 on either offering the function or documenting it at all, but if we must do something then I think documentation is more than enough.</div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">---</div><div class="">Donald Stufft</div><div class="">PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA</div></div></div>
</div>
<br class=""></body></html>