[Python-Dev] PEP476: Enabling certificate validation by default

Guido van Rossum guido at python.org
Sat Sep 20 18:46:56 CEST 2014 

Nice. I just realized the release candidate for 3.4.2 is really close (RC1
Monday, final Oct 6, see PEP 429). What's your schedule for 3.4? I see no
date for 2.7.9 yet (but that could just be that PEP 373 hasn't been
updated). What about the Apple and Microsoft issues Christian pointed out?

Regarding the approval process, I want to get this into 2.7 and 3.4, but I
want it done right, and I'm not convinced that the implementation is
sufficiently worked out. I don't want you to feel rushed, and I don't want
you to feel that you can't start coding until the PEP is approved, but I
also feel that I want to see more working code and some beta testing before
it goes live. Perhaps I should just approve the PEP but separately get to
approve the code? (Others will have to review it for correctness -- but I
want to understand and review the API.)

On Sat, Sep 20, 2014 at 8:54 AM, Alex Gaynor <alex.gaynor at gmail.com> wrote:

> Done and done.
>
> Alex
>
> On Fri, Sep 19, 2014 at 4:13 PM, Guido van Rossum <guido at python.org>
> wrote:
>
>> +1 on Nick's suggestion. (Might also mention that this is the reason why
>> both functions should exist and have compatible signatures.)
>>
>> Also please, please, please add explicit mention of Python 2.7, 3.4 and
>> 3.5 in the Abstract (for example in the 3rd paragraph of the abstract).
>>
>> On Fri, Sep 19, 2014 at 3:52 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>>
>>> On 20 September 2014 08:34, Alex Gaynor <alex.gaynor at gmail.com> wrote:
>>> > Pushed a new version which I believe adresses all of these. I added an
>>> > example of opting-out with urllib.urlopen, let me know if there's any
>>> other
>>> > APIs you think I should show an example with.
>>>
>>> It would be worth explicitly stating the process global monkeypatching
>>> hack:
>>>
>>>     import ssl
>>>     ssl._create_default_https_context = ssl._create_unverified_context
>>>
>>> Adding that hack to sitecustomize allows corporate sysadmins that can
>>> update their standard operating environment more easily than they can
>>> fix invalid certificate infrastructure to work around the problem on
>>> behalf of their users. It also helps out users that will be able to
>>> deal with such broken infrastructure without updating each and every
>>> one of their scripts.
>>>
>>> It's deliberately ugly because it's a genuinely bad idea that folks
>>> should want to avoid using, but as a matter of practical reality,
>>> corporate IT departments are chronically understaffed, and often fully
>>> committed to fighting the crisis du jour, without sufficient time
>>> being available for regular infrastructure maintenance tasks.
>>>
>>> Regards,
>>> Nick.
>>>
>>> --
>>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>>>
>>
>>
>>
>> --
>> --Guido van Rossum (python.org/~guido)
>>
>
>
>
> --
> "I disapprove of what you say, but I will defend to the death your right
> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: 125F 5C67 DFE9 4084
>



-- 
--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140920/8dea521d/attachment.html>

More information about the Python-Dev mailing list