[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)

Paul Moore p.f.moore at gmail.com
Tue Nov 24 10:34:53 EST 2015


On 24 November 2015 at 14:27, Laura Creighton <lac at openend.se> wrote:
> In a message of Tue, 24 Nov 2015 14:05:53 +0000, Paul Moore writes:
>>Simply adding "people who have no control over their broken
>>infrastructure" with a note that this PEP helps them, would be
>>sufficient here (and actually helps the case for the PEP, so why not?
>>;-))
>
> But does it help them?  Or does it increase the power of those who
> hand out certificates and who are intensely security conscious over
> those who would like to get some work done this afternoon?

My reading is that if fully implemented (and Nick has already
confirmed that Red Hat didn't do this) it would add an environment
variable that would allow the user to (in effect) say "I can't fix my
security infrastructure, so just leave me alone and let me take the
risk".

So in theory this PEP would give back some of the ability to ignore
the problem that previous PEPs took away. (And by "ignore the
problem", here I mean "just try to get some work done in spite of a
security and infrastructure group that don't understand how to
implement security and infrastructure, dammit!")

Like it or not, in many organisations, security and development are a
huge "us and them" battle. For me, it's important that Python doesn't
take sides in that battle, while still offering education to anyone
willing to listen. (All I've learned about security is as a result of
working with Python - sadly, that knowledge has not made my job one
iota easier, it's just increased my stress levels :-()

Paul


More information about the Python-Dev mailing list