[Python-Dev] PEP 476: Enabling certificate validation by default!
Christian Heimes
christian at python.org
Mon Sep 1 09:13:33 CEST 2014
On 01.09.2014 08:44, Nick Coghlan wrote:
> Yes, it would have exactly the same security failure modes as
> sitecustomize, except it would only fire if the application
> imported the ssl module.
>
> The "-S" and "-I" switches would need to disable the implied
> "sslcustomize", just as they disable "import site".
A malicious package can already play havoc with your installation with
a custom ssl module. If somebody is able to sneak in a ssl.py then you
are screwed anyway. sslcustomize is not going to make the situation worse.
Christian
More information about the Python-Dev
mailing list