[Python-Dev] PEP476: Enabling certificate validation by default

Sat Sep 20 19:05:45 CEST 2014

That sounds reasonable to me -- at this point I don't expect this to make
it into 3.4.2; Nick has some working code on the ticket:
http://bugs.python.org/issue22417 it's mostly missing documentation.

Alex

On Sat, Sep 20, 2014 at 9:46 AM, Guido van Rossum <guido at python.org> wrote:

> Nice. I just realized the release candidate for 3.4.2 is really close (RC1
> Monday, final Oct 6, see PEP 429). What's your schedule for 3.4? I see no
> date for 2.7.9 yet (but that could just be that PEP 373 hasn't been
> updated). What about the Apple and Microsoft issues Christian pointed out?
>
> Regarding the approval process, I want to get this into 2.7 and 3.4, but I
> want it done right, and I'm not convinced that the implementation is
> sufficiently worked out. I don't want you to feel rushed, and I don't want
> you to feel that you can't start coding until the PEP is approved, but I
> also feel that I want to see more working code and some beta testing before
> it goes live. Perhaps I should just approve the PEP but separately get to
> approve the code? (Others will have to review it for correctness -- but I
> want to understand and review the API.)
>
> On Sat, Sep 20, 2014 at 8:54 AM, Alex Gaynor <alex.gaynor at gmail.com>
> wrote:
>
>> Done and done.
>>
>> Alex
>>
>> On Fri, Sep 19, 2014 at 4:13 PM, Guido van Rossum <guido at python.org>
>> wrote:
>>
>>> +1 on Nick's suggestion. (Might also mention that this is the reason why
>>> both functions should exist and have compatible signatures.)
>>>
>>> Also please, please, please add explicit mention of Python 2.7, 3.4 and
>>> 3.5 in the Abstract (for example in the 3rd paragraph of the abstract).
>>>
>>> On Fri, Sep 19, 2014 at 3:52 PM, Nick Coghlan <ncoghlan at gmail.com>
>>> wrote:
>>>
>>>> On 20 September 2014 08:34, Alex Gaynor <alex.gaynor at gmail.com> wrote:
>>>> > Pushed a new version which I believe adresses all of these. I added an
>>>> > example of opting-out with urllib.urlopen, let me know if there's any
>>>> other
>>>> > APIs you think I should show an example with.
>>>>
>>>> It would be worth explicitly stating the process global monkeypatching
>>>> hack:
>>>>
>>>>     import ssl
>>>>     ssl._create_default_https_context = ssl._create_unverified_context
>>>>
>>>> Adding that hack to sitecustomize allows corporate sysadmins that can
>>>> update their standard operating environment more easily than they can
>>>> fix invalid certificate infrastructure to work around the problem on
>>>> behalf of their users. It also helps out users that will be able to
>>>> deal with such broken infrastructure without updating each and every
>>>> one of their scripts.
>>>>
>>>> It's deliberately ugly because it's a genuinely bad idea that folks
>>>> should want to avoid using, but as a matter of practical reality,
>>>> corporate IT departments are chronically understaffed, and often fully
>>>> committed to fighting the crisis du jour, without sufficient time
>>>> being available for regular infrastructure maintenance tasks.
>>>>
>>>> Regards,
>>>> Nick.
>>>>
>>>> --
>>>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>>>>
>>>
>>>
>>>
>>> --
>>> --Guido van Rossum (python.org/~guido)
>>>
>>
>>
>>
>> --
>> "I disapprove of what you say, but I will defend to the death your right
>> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
>> "The people's good is the highest law." -- Cicero
>> GPG Key fingerprint: 125F 5C67 DFE9 4084
>>
>
>
>
> --
> --Guido van Rossum (python.org/~guido)
>

-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20140920/3de4cb47/attachment.html>