On 24 November 2015 at 17:16, Toshio Kuratomi <a.badger@gmail.com> wrote:
The long term answer for such environments is to update their internal certificate management to at least match the standards set by the public internet, but in the meantime, it is desirable to offer these administrators a way to continue receiving maintenance updates to the Python 2.7 series, without having to gate that on upgrades to their certificate management infrastructure.
+ The wording here seems to reflect a different scope than merely backporting by distros. Perhaps we should change it to: "[...]set by the public internet. Distributions may wish to help these sites transition by backporting the PEP 476 changes to earlier versions of python in a way that does not require the administrators to upgrade their certificate management infrastructure immediately. This would allow sites to choose to use the distribution suppiied python in a backwards compatible fashion until their certificate management infrastructure was updated and then toggle their site to utilize the more secure features provided by PEP 476."
I'm not actually sure that it's the place of this PEP to even comment on what the long term answer for such environments should be (or indeed, any answer, long term or not). I've argued the position that in some organisations it feels like security don't actually understand the issues of carefully balancing secure operation against flexible development practices, but conversely it's certainly true that in many organisations, they *have* weighed the various arguments and made an informed decision on how to set up their internal network. It's entirely possible that self-signed certificates are entirely the right decision for their circumstances. Why would a Python PEP be qualified to comment on that decision? In my opinion, we should take all of the value judgements out of this paragraph, and just state the facts. How about: """ In order to provide additional flexibility to allow infrastructure administrators to provide the appropriate solution for their environment, this PEP offers a way for administrators to upgrade to later versions of the Python 2.7 series without being forced to update their existing security certificate management infrastructure as a prerequisite. """ Paul