[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

Barry Warsaw barry at python.org
Mon Jun 3 19:07:00 CEST 2013

On Jun 03, 2013, at 02:17 PM, Donald Stufft wrote:

>I'd actually prefer for Linux to not use the bundled certs when installed
>from a package manager because it should use the system certs, but people
>can't depend on certs being there if they are only there on linux.

I think we agree on that.

>Adding them into Python means people _can_ depend on them being there, and
>Windows and other systems without system integrators to modify it to use the
>system store will still get certs and Ubuntu can make it just work(™).

Again, I think PEP 431 provides a pretty good model for how this should be
done.  Maybe it's worth factoring out this specific part of PEP 431 into an
informational PEP?

>This would probably (eventually) make the bundling of certificates better
>Meaning that once it's been in long enough people are willing to depend on
>it, they won't need to bundle their own certs and ubuntu/debian can just
>modify the one location instead of needing to modify it for every package
>that does it.

Can we do the same for the JavaScript libraries? :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/24178cfd/attachment.pgp>

More information about the Python-Dev mailing list