[Python-Dev] PEP 476: Enabling certificate validation by default!

Thu Sep 4 01:29:00 CEST 2014

On 4 Sep 2014 06:39, "Alex Gaynor" <alex.gaynor at gmail.com> wrote:
>
> Guido van Rossum <guido <at> python.org> writes:
>
> > OK, that changes my position for 2.7 (but not for 3.5). I had assumed
there
> > was a way to disable the cert check by changing one parameter to the
> > urlopen() call. (And I had wanted to add that there should be a clear
FAQ
> > about the subject.) If this isn't possible that changes the situation.
(But I
> > still think that once we do have that simple change option we should do
it,
> > in a later 2.7 upgrade.) I apologize for speaking before I had read all
> > facts, and I'll await what you and Nick come up with.
> > --Guido
>
> This probably doesn't surprise anyone, but I'm more than happy to do the
back-
> porting work for httplib, and any other modules which need SSLContext
support;
> does this require an additional PEP, or does it fit under PEP466 or
PEP476?

I suggest writing up a separate PEP for 2.7 that covers exactly what would
need to be backported in order to make the same HTTPS handling change in
Python 2.

For 476, I suggest taking my list of modules that call
"_create_stdlib_cert" and being completely explicit as to which ones are
*not* changing (as that will help clarify the scope of the backport
proposal).

I learned that lesson with PEP 453 - it's well worth making the Python 3
PEP easier to accept by making it independent of the inevitably more
controversial Python 2 backport PEP :)

Cheers,
Nick.

>
> Alex
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140904/12b7d4f0/attachment-0001.html>