[Python-Dev] PEP 476: Enabling certificate validation by default!

Ethan Furman ethan at stoneleaf.us
Thu Sep 4 02:00:39 CEST 2014

On 09/03/2014 04:36 PM, Antoine Pitrou wrote:
> On Thu, 4 Sep 2014 09:19:56 +1000
> Nick Coghlan <ncoghlan at gmail.com> wrote:
>>> Python is routinely updated to bugfix releases by Linux distributions
>>> and other distribution channels, you usually have no say over what's
>>> shipped in those updates. This is not like changing the major version
>>> used for executing the script, which is normally a manual change.
>> We can potentially deal with the more conservative part of the user base on
>> the redistributor side - so long as the PEP says it's OK for us to not
>> apply this particular change if we deem it appropriate to do so.
> So people would believe python.org that they would get HTTPS cert
> validation by default, but their upstream distributor would have
> disabled it for them? That's even worse...

I agree.  If the vendors don't want to have validation by default, they should stick with 2.7.8.


More information about the Python-Dev mailing list