[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)

David Malcolm dmalcolm at redhat.com
Mon Jun 3 22:07:05 CEST 2013

On Mon, 2013-06-03 at 12:48 -0400, Barry Warsaw wrote:
> On Jun 03, 2013, at 09:05 AM, Ben Darnell wrote:
> >The data is analogous to the time zone database (PEP 431) in that it may
> >need to be updated independently of Python's own release schedule, so we
> >may want to use similar techniques to manage both.  Also see certifi (
> >https://pypi.python.org/pypi/certifi), which is a copy of the Mozilla list
> >in a pip-installable form.
> Right, this is very much analogous, except with the additional twist that
> out-of-date certificates can pose a significant security risk.
> I'm fairly certain that Debian and Ubuntu would explicitly not use any
> certificates shipped with Python, for two main reasons: 1) our security teams
> already manage the certificate store distro-wide and we want to make sure that
> one update fixes everything; 2) we don't want to duplicate code in multiple
> packages[1].

Fedora/RHEL are in a similar position; I expect we'd rip out the bundled
certs in our builds shortly after unzipping the tarball, and use a
system-wide cert store (I "rm -rf" bundled libraries in our builds, to
make sure we're not using them).


More information about the Python-Dev mailing list