[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

[Donald Stufft]

On Jun 3, 2013, at 1:07 PM, Barry Warsaw <barry at python.org> wrote:

> On Jun 03, 2013, at 02:17 PM, Donald Stufft wrote:
> 
>> I'd actually prefer for Linux to not use the bundled certs when installed
>> from a package manager because it should use the system certs, but people
>> can't depend on certs being there if they are only there on linux.
> 
> I think we agree on that.
> 
>> Adding them into Python means people _can_ depend on them being there, and
>> Windows and other systems without system integrators to modify it to use the
>> system store will still get certs and Ubuntu can make it just work(™).
> 
> Again, I think PEP 431 provides a pretty good model for how this should be
> done.  Maybe it's worth factoring out this specific part of PEP 431 into an
> informational PEP?

Looks fine to me minus the not updating in security releases (but that's just
a difference in the type of data).

> 
>> This would probably (eventually) make the bundling of certificates better
>> too.
>> 
>> Meaning that once it's been in long enough people are willing to depend on
>> it, they won't need to bundle their own certs and ubuntu/debian can just
>> modify the one location instead of needing to modify it for every package
>> that does it.
> 
> Can we do the same for the JavaScript libraries? :)
> 
> -Barry


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/77894bd5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/python-dev/attachments/20130603/77894bd5/attachment-0001.pgp>