[Python-Dev] Backwards compatibility after certificate autovalidation

Guido van Rossum guido at python.org
Tue Sep 9 05:40:18 CEST 2014


The multiple threads going on are confusing (or maybe GMail makes them more
confusing), but the architecture you are sketching here sounds good. I
can't find get_default_context() in the repo, but perhaps I need to
refresh, or perhaps you're talking about a design in a PEP.

On Mon, Sep 8, 2014 at 8:03 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:

>
> On 9 Sep 2014 10:48, "Jim J. Jewett" <jimjjewett at gmail.com> wrote:
> > I assume that adding _unverified_urlopen or urlopen(context=...) do
> > provide incremental improvements compatible with the eventual full
> > opt-in.  If so, adding them is probably reasonable, but I think the
> > PEP should explicitly list all such approved half-measures as a guard
> > against API feature creep.
>
> From Guido's and your feedback, I think we may need two things to approve
> this for 3.4.2 (putting 2.7 aside for now):
>
> 1. "context" parameter support in urllib.request (to opt out on a per-call
> basis)
> 2. a documented way to restore the old behaviour via sitecustomize (which
> may involve monkeypatching)
>
> The former change seems non-controversial.
>
> I think the more fine-grained solution for the latter can wait until 3.5
> (and will be an independent PEP), we just need an interim workaround for
> 3.4 that could conceivably be backported to 2.7.
>
> On that front, ssl currently has two context factories:
> get_default_context() and _get_stdlib_context. One possible option would be
> to:
>
> 1. Rename "_get_stdlib_context" to "_get_unverified_context"
> 2. Add "_get_https_context" as an alias for "get_default_context"
>
> Opting out on a per-call basis means passing an unverified context.
>
> Opting out globally would mean monkeypatching _get_https_context to refer
> to _get_unverified_context instead.
>
> These would both be documented as part of transition, but with clear
> security warnings. The use of the leading underscores in the names is
> intended to emphasise "you probably don't want to be using this".
>
> Regards,
> Nick.
>
>
> >
> > -jJ
> > _______________________________________________
> > Python-Dev mailing list
> > Python-Dev at python.org
> > https://mail.python.org/mailman/listinfo/python-dev
> > Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/ncoghlan%40gmail.com
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> https://mail.python.org/mailman/options/python-dev/guido%40python.org
>
>


-- 
--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140908/d7ca5cc2/attachment.html>


More information about the Python-Dev mailing list