[Python-Dev] PEP 476: Enabling certificate validation by default!

Nick Coghlan ncoghlan at gmail.com
Wed Sep 3 12:34:32 CEST 2014

On 3 Sep 2014 18:28, "Cory Benfield" <cory at lukasa.co.uk> wrote:

> This is definitely true, and this change is both. The only question
> that matters is whether we believe we're doing users a service by
> breaking their code. I'd argue, along with Glyph, Alex and Donald,
> that we are. I've been on the losing side of this debate a number of
> times though, and I expect I will be again.

The default stdlib behaviour will change in 3.5, I don't think anyone is
disputing that. While I earlier said that should depend on the sslcustomize
PEP, I now think they should be made orthogonal so the SSL customisation
PEP can focus on its potential for *increasing* security in properly
configured environments rather than deliberately decreasing it after
upgrading to Python 3.5 in improperly configured ones.

The backwards compatibility argument only applies to Python 2 maintenance
releases (where dreid indicated an intention to request backporting the
change), and there I'm quite happy to take the position of "use requests,
Twisted or Python 3.5+ to get HTTPS done right".

There are a variety of reasons not to use the Python 2 stdlib for modern
networking, and making better tools more readily accessible to Python 2
users by backporting ensurepip is my preferred answer.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140903/36b5bd9a/attachment.html>

More information about the Python-Dev mailing list