[Python-Dev] PEP 476: Enabling certificate validation by default!
Paul Moore
p.f.moore at gmail.com
Mon Sep 1 08:07:46 CEST 2014
On 31 August 2014 23:10, Nick Coghlan <ncoghlan at gmail.com> wrote:
> Assuming sslcustomize was in site-packages rather than the standard library
> directories, you would also be able to use virtual environments with an
> appropriate sslcustomize module to disable cert checking even if the
> application you were running didn't support direct configuration.
Would this mean that a malicious package could install a custom
sslcustomize.py and so add unwanted certs to the system? I guess we
have to assume that installed packages are trusted, but I just wanted
to be explicit.
Paul
More information about the Python-Dev
mailing list