[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)

[Paul Moore]

On 24 November 2015 at 13:20, Nick Coghlan <ncoghlan at gmail.com> wrote:
> I believe you're referring mainly to the original PEP 476 change there. In
> the context of PEP 493, this is another group that would potentially benefit
> from the suggested "security downgrade" environment variable (if any
> redistributors decide to implement that - RHEL doesn't as yet), since it
> would provide a way to restore the old behaviour without changing their
> client code or monkeypatching the SSL module as described in PEP 476.

I'm actually referring to the fact that your classification didn't
seem to include people who have no control over their infrastructure
(except in class 1 which implies ignorance rather than
powerlessness...). PEP 493 is of benefit to such people, so there's
now downside in explicitly noting this.

My concern is that *because* people consistently forget about the
class of people who have to put up with bad infrastructure but can't
do anything about it, we risk promoting a sense of "security as the
enemy" - which is the direct opposite of what we're trying to do.

I have no interest or opinion regarding this PEP itself, but I would
like to see "people who have to put up with whatever infrastructure
they are dumped with, and use Python to ease that burden" recognised
as an important class of user. They are very under-represented in
discussions, as it's usually big business closed source and similar
environments that are in that situation.

Simply adding "people who have no control over their broken
infrastructure" with a note that this PEP helps them, would be
sufficient here (and actually helps the case for the PEP, so why not?
;-))

Apologies, this is a bit of a hobby horse of mine, I'll pipe down now.

Paul.