[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
Paul Moore
p.f.moore at gmail.com
Tue Nov 24 13:08:58 EST 2015
On 24 November 2015 at 17:16, Toshio Kuratomi <a.badger at gmail.com> wrote:
> The long term answer for such environments is to update their internal
> certificate management to at least match the standards set by the public
> internet, but in the meantime, it is desirable to offer these administrators
> a way to continue receiving maintenance updates to the Python 2.7 series,
> without having to gate that on upgrades to their certificate management
> infrastructure.
>
> + The wording here seems to reflect a different scope than merely
> backporting by distros. Perhaps we should change it to: "[...]set by
> the public internet. Distributions may wish to help these sites
> transition by backporting the PEP 476 changes to earlier versions of
> python in a way that does not require the administrators to upgrade
> their certificate management infrastructure immediately. This would
> allow sites to choose to use the distribution suppiied python in a
> backwards compatible fashion until their certificate management
> infrastructure was updated and then toggle their site to utilize the
> more secure features provided by PEP 476."
I'm not actually sure that it's the place of this PEP to even comment
on what the long term answer for such environments should be (or
indeed, any answer, long term or not). I've argued the position that
in some organisations it feels like security don't actually understand
the issues of carefully balancing secure operation against flexible
development practices, but conversely it's certainly true that in many
organisations, they *have* weighed the various arguments and made an
informed decision on how to set up their internal network. It's
entirely possible that self-signed certificates are entirely the right
decision for their circumstances. Why would a Python PEP be qualified
to comment on that decision?
In my opinion, we should take all of the value judgements out of this
paragraph, and just state the facts. How about:
"""
In order to provide additional flexibility to allow infrastructure
administrators to provide the appropriate solution for their
environment, this PEP offers a way for administrators to upgrade to
later versions of the Python 2.7 series without being forced to update
their existing security certificate management infrastructure as a
prerequisite.
"""
Paul
More information about the Python-Dev
mailing list