On 25 November 2015 at 00:27, Laura Creighton <lac@openend.se> wrote:
In a message of Tue, 24 Nov 2015 14:05:53 +0000, Paul Moore writes:
Simply adding "people who have no control over their broken infrastructure" with a note that this PEP helps them, would be sufficient here (and actually helps the case for the PEP, so why not? ;-))
But does it help them? Or does it increase the power of those who hand out certificates and who are intensely security conscious over those who would like to get some work done this afternoon?
In situations where IT are still the "Department of No", rather than focusing on facilitating folks in getting their work done, I think the most likely outcome of the configuration file recommendation in PEP 493 is preservation of the status quo: admins simply won't change the config setting, even if they deploy a version of Linux that adopts the approach suggested in the PEP. If they do enable full certificate verification (or upgrade the environments they provide to a version of Python that has it enabled by default) without doing appropriate compatibility testing first, then they're going to hit the compatibility problems Paul is talking about. The aspect of the PEP that has the potential to help in the case of poor infrastructure management is providing the ability to globally turn off certificate verification on a per-process basis. It's the networking equivalent of monkeypatching - you know there are risks with doing it, but also judge the near term benefits to outweigh those longer term risks in your particular situation. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia