There's a lot to process in this thread, but as I see it, the issue breaks down to these questions: * How should PEP 493 be implemented? * What should the default be? * How should PEP 493 be worded to express the right tone to redistributors? Let me take on the implementation details here. On Nov 24, 2015, at 04:04 PM, M.-A. Lemburg wrote:
I would still find having built-in support for the recommendations in the Python stdlib a better approach
As would I. Currently the PEP contains some sample code for reading a configuration file and an environment variable, and assigning the default behavior based on these values. The first improvement to the stdlib I would have made would have been to add a convenience function to ssl to enable and disable the verification. Something like this: def ssl.verify_certificates(enable) Then at the simplest level, an application that wants to enable higher security could do this early in its main entry point: import ssl if hasattr(ssl, 'verify_certificates'): ssl.verify_certificates(True) or ... ssl.verify_certificates(False) and that would work regardless of the platform default, and it would work properly on older versions of Python 2.7 that didn't have the backport. This seems so straightforward, I'm wondering why PEP 493 doesn't consider it. I would like to see the sample code in PEP 493 implemented in the stdlib. It would then be a matter of cherry picking that should a distro decide to backport it. It means one less non-trivial delta from upstream which has to be managed separately. The only difference to the combined approach I'd make is to handle the case where the _cert_verification_config file doesn't exist. (If you included the convenience method above, then the sample code could be simplified down to a default for the `enable` parameter and a call to ssl.verify_certificates().) Is it too late to include both of those suggestions in PEP 493 and Python 2.7.11? Cheers, -Barry