On 6 Jul 2015 20:23, "Antoine Pitrou" <solipsis@pitrou.net> wrote:
> On Mon, 6 Jul 2015 14:22:46 +1000
> Nick Coghlan <ncoghlan@gmail.com> wrote:
> >
> > The main change from the last version discussed on python-ideas
> Was it discussed there? That list has become totally useless, I've
> stopped following it.
> > * modify the ``ssl`` module to read the ``PYTHONHTTPSVERIFY`` environment
> >   variable when the module is first imported into a Python process
> Have you passed that by RedHat's security experts?

Yeah, they were the ones that finally persuaded me that this design was reasonable. If I understood their explanation correctly, the gist is that if you're running with elevated permissions while allowing arbitrary processes to set environment variables, you've already opened up so many attack vectors that the only reasonable defence is "don't do that", and hence higher level design decisions like sudo running in root's environment, not the individual user's. Since having the selective downgrade option available makes it easier to justify the default security *up*grade, it works out as a net win.

However, I did just realise there's a bug in the current definition of that feature - it should respect the "ignore environment" flag, but it's currently specified as being unconditional.


> Regards
> Antoine.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev@python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com