On Mon, Jan 30, 2017 at 8:50 PM, Cory Benfield <cory@lukasa.co.uk> wrote:

> On 30 Jan 2017, at 13:53, David Cournapeau <cournape@gmail.com> wrote:
>
> Are there any official recommendations for downstream packagers beyond PEP 476 ? Is it "acceptable" for downstream packagers to patch python's default cert locations ?

There *are* no default cert locations on Windows or macOS that can be accessed by OpenSSL.

Also, doesn't that contradict the wording of PEP 476, specifically " Python would use the system provided certificate database on all platforms. Failure to locate such a database would be an error, and users would need to explicitly specify a location to fix it." ?

Or is that PEP a long term goal, and not a description of the current status ?

David