[Python-Dev] PEP 476: Enabling certificate validation by default!
solipsis at pitrou.net
Thu Sep 4 01:36:40 CEST 2014
On Thu, 4 Sep 2014 09:19:56 +1000
Nick Coghlan <ncoghlan at gmail.com> wrote:
> > Python is routinely updated to bugfix releases by Linux distributions
> > and other distribution channels, you usually have no say over what's
> > shipped in those updates. This is not like changing the major version
> > used for executing the script, which is normally a manual change.
> We can potentially deal with the more conservative part of the user base on
> the redistributor side - so long as the PEP says it's OK for us to not
> apply this particular change if we deem it appropriate to do so.
So people would believe python.org that they would get HTTPS cert
validation by default, but their upstream distributor would have
disabled it for them? That's even worse...
Of course, people could read distribution-specific package changelogs,
but nobody does that.
> 2.7.9 is going to be a somewhat "interesting" release that requires careful
> attention anyway (due to the completion of the PEP 466 backports), so if
> Guido's OK with it, sure, let's kill the "HTTPS isn't" problem for Python 2
> as well.
Possible unvoluntary breakage due to a large backport is one thing.
Deliberate breakage is another.
More information about the Python-Dev