[Python-Dev] PEP 476: Enabling certificate validation by default!

Ethan Furman ethan at stoneleaf.us
Thu Sep 4 02:17:44 CEST 2014

On 09/03/2014 05:00 PM, Ethan Furman wrote:
> On 09/03/2014 04:36 PM, Antoine Pitrou wrote:
>> On Thu, 4 Sep 2014 09:19:56 +1000
>> Nick Coghlan <ncoghlan at gmail.com> wrote:
>>>> Python is routinely updated to bugfix releases by Linux distributions
>>>> and other distribution channels, you usually have no say over what's
>>>> shipped in those updates. This is not like changing the major version
>>>> used for executing the script, which is normally a manual change.
>>> We can potentially deal with the more conservative part of the user base on
>>> the redistributor side - so long as the PEP says it's OK for us to not
>>> apply this particular change if we deem it appropriate to do so.
>> So people would believe python.org that they would get HTTPS cert
>> validation by default, but their upstream distributor would have
>> disabled it for them? That's even worse...
> I agree.  If the vendors don't want to have validation by default, they should stick with 2.7.8.

If good argument can be made for why we should make validation by default optional, then that point should be well made 
in Python's release notes, and some easy programmatic way to tell if validation is on or off  (which may just be more 
docs saying call SSLContext and examine the results:  xxx means you're validating, yyy means you are not).


More information about the Python-Dev mailing list