[Python-Dev] PYTHONHTTPSVERIFY env var

Nick Coghlan ncoghlan at gmail.com
Tue May 12 13:17:21 CEST 2015

On 12 May 2015 at 21:09, Donald Stufft <donald at stufft.io> wrote:
> If you control the app you don't need to do that. All relevant api accept the context parameter. The shims are only useful when you don't control the app. So an app shipping their own python doesn't fall under that.

I think the "bundled Python" scenario MAL is interested in is this one:

1. An application with a bundled CPython runtime is using the
verification defaults
2. Upgraded the bundled Python to 2.7.9
3. Didn't provide new configuration settings to disable certificate verification
4. Is being upgraded in an environment where verifying certificates
makes the app unusable for environmental reasons related to
certificate management

The PyRun single-file Python interpreter has a similar need, where
some apps than ran fine under 2.7.8 will need a way to disable cert
verification in 2.7.9+ on a per-application basis, *without* modifying
the applications.

Both of those make sense to me as cases where the environment variable
based security downgrade approach is the "least bad" answer available,
which is why I eventually agreed it should be one of the
recommendations in the PEP.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list