On 11 November 2015 at 10:47, Nick Coghlan <ncoghlan@gmail.com> wrote:

Our last discussion back in July seemed to show that folks either
didn't care about the question (because they're using unmodified
upstream versions so the PEP didn't affect them), or else thought the
approach described in the PEP was reasonable, so I'm hoping the
consequences of my mistake won't be too severe.

RHEL 7.2 is out today, together with details of what we've now committed to supporting for certification verification configuration in the RHEL 7 system Python: https://access.redhat.com/articles/2039753

That article also describes the PEP 476 status across the different Python builds Red Hat supports, which I've summarised below.

Versions with PEP 476 implemented:

* Python 3.4 SCL: cert verification always enabled by default

* system Python in RHEL 7.2+: still off by default due to the compatibility break, but with PEP 493's file based configuration setting to enable it by default

Versions without PEP 476 implemented:

* Python 2.7 SCL

* Python 3.3 SCL

* system Python in RHEL 7.1 and earlier

* system Python in all versions of RHEL 6

I assume that status of the Python 2.7 SCL will change at some point, but don't have an ETA or any technical details to share at this point.

The system Python versions in RHEL 5 and earlier didn't include the ssl module at all (since that was only added to the standard library in Python 2.6), so they're not affected by the concerns raised in PEP 476 in the first place.

Regards,

Nick.

Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia