[Python-Dev] PEP 476: Enabling certificate validation by default!

Nick Coghlan ncoghlan at gmail.com
Thu Sep 4 01:19:56 CEST 2014

On 4 Sep 2014 04:39, "Antoine Pitrou" <solipsis at pitrou.net> wrote:
> On Wed, 3 Sep 2014 10:54:55 -0700
> Guido van Rossum <guido at python.org> wrote:
> >
> > Let's take the plunge on this issue for the next 2.7 release (3.5 being
> > done deal).
> I'm entirely against this.
> > Yes, some people will find that they have an old script
> > accessing an old service which breaks. Surely some of the other changes
> > the same 2.7 bugfix release will also break some other scripts. People
> > with it. Probably 90% of the time it's an annoyance (but no worse than
> > other minor-release upgrade -- you should test upgrades before
> > to them, and if all else fails, roll it back).
> Python is routinely updated to bugfix releases by Linux distributions
> and other distribution channels, you usually have no say over what's
> shipped in those updates. This is not like changing the major version
> used for executing the script, which is normally a manual change.

We can potentially deal with the more conservative part of the user base on
the redistributor side - so long as the PEP says it's OK for us to not
apply this particular change if we deem it appropriate to do so.

That would make this a case of upstream asking us to do the kind of risk
assessment that people pay us for, which is a kind of request I'm generally
happy to get :)

That way, if downstream users get upset, we can point them at their vendor
support department, rather than having them take out their ire on upstream

Also, after thinking through the implications a bit more, my guess is that
Fedora & Software Collections will accept the change without any fuss, but
the CentOS/RHEL side could be a more involved discussion. On the other
hand, orgs with these kinds of problems aren't likely to have rolled out
RHEL 7 or CentOS 7 yet either, so they're probably still back on Python 2.6
(RHEL 6) or even 2.4 (RHEL 5).

2.7.9 is going to be a somewhat "interesting" release that requires careful
attention anyway (due to the completion of the PEP 466 backports), so if
Guido's OK with it, sure, let's kill the "HTTPS isn't" problem for Python 2
as well.

One additional wrinkle in that case: we will likely need to backport the
SSLContext related changes to httplib as well.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140904/76f29cf2/attachment.html>

More information about the Python-Dev mailing list