[Python-Dev] PYTHONHTTPSVERIFY env var

Antoine Pitrou solipsis at pitrou.net
Mon May 11 12:39:12 CEST 2015

I'm in entire agreement with Donald below.



On Mon, 11 May 2015 06:23:11 -0400
Donald Stufft <donald at stufft.io> wrote:
> I don't really agree that the decision to disable TLS is an environment one,
> it's really a per application decision. This is why I was against having some
> sort of global off switch for all of Python because just because one
> application needs it turned off doesn't mean you want it turned off for another
> Python application. You might have some script that is interacting with a
> custom internal server which doesn’t have a valid TLS certificate but then you
> also have pip* installed which is reaching out to PyPI and downloading code
> from the internet. You might want to disable TLS verification for the first but
> you almost certainly don't want it to disable TLS verification for the second
> one.
> In this regard I think that environment variables are somewhat better because
> they are far easier to set per application instead of in a way that affects
> every python program. Per application is the *right* scope for this setting,
> especially in a system where people may or may not realize what is written in
> Python and what isn't. I think it's absolutely wrong to give people a footgun
> in the terms of a switch that turns off all of Python's TLS verification when
> for many applications the fact they use Python is simply an implementation
> detail.
> That being said, since it's not being included in Python core and it's only
> some patch that some downstream's are going to apply I also don't really care
> that much because it's not going to effect me and if it turns out to be a bad
> idea and a footgun like I think it is, then the blame can rest on those
> downstreams and not us :)
> I'm also not a fan of the environment variable either really for a lot of the
> reasons you've outlined here.
> * Ignoring the fact that pip has (via requests/urllib3) worked around this
>   deficiency in Python and isn't going to be affected by this configuration
>   switch at all.
> ---
> Donald Stufft
> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Python-Dev mailing list