[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

[Barry Warsaw]

On Jun 03, 2013, at 09:05 AM, Ben Darnell wrote:

>The data is analogous to the time zone database (PEP 431) in that it may
>need to be updated independently of Python's own release schedule, so we
>may want to use similar techniques to manage both.  Also see certifi (
>https://pypi.python.org/pypi/certifi), which is a copy of the Mozilla list
>in a pip-installable form.

Right, this is very much analogous, except with the additional twist that
out-of-date certificates can pose a significant security risk.

I'm fairly certain that Debian and Ubuntu would explicitly not use any
certificates shipped with Python, for two main reasons: 1) our security teams
already manage the certificate store distro-wide and we want to make sure that
one update fixes everything; 2) we don't want to duplicate code in multiple
packages[1].

So *if* Python decides to do this (and I'm -0, but from a decidedly
Linux-distro bias), it must be easily disabled.  I generally like the way PEP
431 handles the tzdata, so I think we should do the same here.

-Barry

[1] This gives us headaches in upstreams like coverage caused by bundling
externally available JavaScript libraries, or like urllib3 bundling chardet
and urllib3, not to mention their own certificates yet again. :(