[Python-Dev] PEP 476: Enabling certificate validation by default!

Nick Coghlan ncoghlan at gmail.com
Wed Sep 3 01:01:55 CEST 2014


On 3 Sep 2014 08:18, "Alex Gaynor" <alex.gaynor at gmail.com> wrote:
>
> Antoine Pitrou <solipsis <at> pitrou.net> writes:
>
> >
> > And how many people are using Twisted as an HTTPS client?
> > (compared to e.g. Python's httplib, and all the third-party libraries
> > building on it?)
> >
>
> I don't think anyone could give an honest estimate of these counts,
however
> there's two factors to bare in mind: a) It's extremely strongly
recommended to
> use requests to make any HTTP requests precisely because httplib is
negligent
> in certificate and hostname checking by default, b) We're talking about
> Python3, which has fewer users than Python2.

Creating *new* incompatibilities between Python 2 & Python 3 is a major
point of concern. One key focus of 3.5 is *reducing* barriers to migration,
and this PEP would be raising a new one.

It's a change worth making, but we have time to ensure there are easy ways
to do things like skipping cert validation, or tolerate expired
certificates.

Regards,
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140903/b4b9f71f/attachment.html>


More information about the Python-Dev mailing list