On Jan 22, 2014, at 9:19 AM, Paul Moore <p.f.moore@gmail.com> wrote:
On 22 January 2014 13:55, Donald Stufft <donald@stufft.io> wrote:
As an additional side note, anecdotal evidence and what not, but *every* time I bring this up somewhere I get at least one reply that looks similar to https://twitter.com/ojiidotch/status/425986619879866368
Surprise that Python doesn't verify certs is one thing. I would also like to live in a world where Python has always verified certs, and all the issues have already been resolved. Imposing breakage on end users because we haven't managed to persuade application developers to do the right thing yet (even though it appears we've made it one-line-of-code easy to do so) is another thing entirely.
Note: That it requires users to even be aware they *need* to do that one line of code, which many are not.
But the deprecation cycle gives application developers time (and a deadline) so I'm happy with that.
Awesome, It looks like I’ll be writing a PEP to handle this, I wasn’t sure if it needed one or not.
Although from MAL's original comment:
Note that several python.org services use CAcerts which would no longer be accessible per default following such a change.
,The PSF needs to get that sorted before making cert validation the default in Python, IMO.
I’m not aware of which services those are, if MAL (or anyone else) can point them out I’ll see what I can do to make that happen. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA