[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Donald Stufft donald at stufft.io
Mon Jun 3 20:17:48 CEST 2013

On Jun 3, 2013, at 12:48 PM, Barry Warsaw <barry at python.org> wrote:

> On Jun 03, 2013, at 09:05 AM, Ben Darnell wrote:
>> The data is analogous to the time zone database (PEP 431) in that it may
>> need to be updated independently of Python's own release schedule, so we
>> may want to use similar techniques to manage both.  Also see certifi (
>> https://pypi.python.org/pypi/certifi), which is a copy of the Mozilla list
>> in a pip-installable form.
> Right, this is very much analogous, except with the additional twist that
> out-of-date certificates can pose a significant security risk.
> I'm fairly certain that Debian and Ubuntu would explicitly not use any
> certificates shipped with Python, for two main reasons: 1) our security teams
> already manage the certificate store distro-wide and we want to make sure that
> one update fixes everything; 2) we don't want to duplicate code in multiple
> packages[1].
> So *if* Python decides to do this (and I'm -0, but from a decidedly
> Linux-distro bias), it must be easily disabled.  I generally like the way PEP
> 431 handles the tzdata, so I think we should do the same here.

I'd actually prefer for Linux to not use the bundled certs when installed from a package
manager because it should use the system certs, but people can't depend on certs
being there if they are only there on linux.

Adding them into Python means people _can_ depend on them being there, and Windows
and other systems without system integrators to modify it to use the system store will still
get certs and Ubuntu can make it just work(™).

> -Barry
> [1] This gives us headaches in upstreams like coverage caused by bundling
> externally available JavaScript libraries, or like urllib3 bundling chardet
> and urllib3, not to mention their own certificates yet again. :(

This would probably (eventually) make the bundling of certificates better too.

Meaning that once it's been in long enough people are willing to depend on it, they
won't need to bundle their own certs and ubuntu/debian can just modify the one
location instead of needing to modify it for every package that does it.

> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald%40stufft.io

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/c0cd530c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/c0cd530c/attachment.pgp>

More information about the Python-Dev mailing list