[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)

[Nick Coghlan]

On 25 November 2015 at 00:27, Laura Creighton <lac at openend.se> wrote:
> In a message of Tue, 24 Nov 2015 14:05:53 +0000, Paul Moore writes:
>>Simply adding "people who have no control over their broken
>>infrastructure" with a note that this PEP helps them, would be
>>sufficient here (and actually helps the case for the PEP, so why not?
>>;-))
>
> But does it help them?  Or does it increase the power of those who
> hand out certificates and who are intensely security conscious over
> those who would like to get some work done this afternoon?

In situations where IT are still the "Department of No", rather than
focusing on facilitating folks in getting their work done, I think the
most likely outcome of the configuration file recommendation in PEP
493 is preservation of the status quo: admins simply won't change the
config setting, even if they deploy a version of Linux that adopts the
approach suggested in the PEP. If they do enable full certificate
verification (or upgrade the environments they provide to a version of
Python that has it enabled by default) without doing appropriate
compatibility testing first, then they're going to hit the
compatibility problems Paul is talking about.

The aspect of the PEP that has the potential to help in the case of
poor infrastructure management is providing the ability to globally
turn off certificate verification on a per-process basis. It's the
networking equivalent of monkeypatching - you know there are risks
with doing it, but also judge the near term benefits to outweigh those
longer term risks in your particular situation.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia