[Python-Dev] PYTHONHTTPSVERIFY env var

M.-A. Lemburg mal at egenix.com
Tue May 12 13:41:48 CEST 2015 

On 12.05.2015 13:21, Donald Stufft wrote:
> 
>> On May 12, 2015, at 7:17 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>>
>> On 12 May 2015 at 21:09, Donald Stufft <donald at stufft.io> wrote:
>>> If you control the app you don't need to do that. All relevant api accept the context parameter. The shims are only useful when you don't control the app. So an app shipping their own python doesn't fall under that.
>>
>> I think the "bundled Python" scenario MAL is interested in is this one:
>>
>> 1. An application with a bundled CPython runtime is using the
>> verification defaults
>> 2. Upgraded the bundled Python to 2.7.9
>> 3. Didn't provide new configuration settings to disable certificate verification
>> 4. Is being upgraded in an environment where verifying certificates
>> makes the app unusable for environmental reasons related to
>> certificate management
>>
>> The PyRun single-file Python interpreter has a similar need, where
>> some apps than ran fine under 2.7.8 will need a way to disable cert
>> verification in 2.7.9+ on a per-application basis, *without* modifying
>> the applications.
>>
>> Both of those make sense to me as cases where the environment variable
>> based security downgrade approach is the "least bad" answer available,
>> which is why I eventually agreed it should be one of the
>> recommendations in the PEP.
>>
> 
> Why is without modifying the app a reasonable goal? If Python is bundled
> with the app then you have direct control over when that upgrade happens,
> so you can delay the upgrade to 2.7.9 until your application which is
> bundling Python has the relevant switches. This is distinctly different
> from a situation like downstream distributors where the version of Python
> being provided is being provided by a group different than the person
> providing the application.

Take a Plone Intranet as example:

The unified installer downloads and installs Python 2.7 for you.
As of Plone 4.3.3 the version is Python 2.7.6.

Now say you are a sys admin and your Intranet users are affected by
some bug in 2.7.6 which is fixed in 2.7.9. The natural approach would
be to upgrade the bundled Python to 2.7.9.

Because it's an Intranet and Plone is used to aggregate
information from other systems which use self-signed
certificates, you don't want to risk breaking your Plone
installation and need a way to disable the cert checks.

The best way to do this is by configuring the bundled
Python to disable the checks, since you would not want
to mess with the Plone application itself.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, May 12 2015)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> mxODBC Plone/Zope Database Adapter ...       http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Python-Dev mailing list