[Python-Dev] PYTHONHTTPSVERIFY env var
Nick Coghlan
ncoghlan at gmail.com
Mon May 11 16:06:45 CEST 2015
On 11 May 2015 10:16 pm, "Robert Kuska" <rkuska at redhat.com> wrote:
> > >
> >
> > Oh, another issue that I forgot to mention--
> >
> > A fair number of people had no idea that Python wasn't validating TLS
before
> > 2.7.9/3.4.3 however as part of the processing of changing that in 2.7.9
a lot
> > of people became aware that Python's before 2.7.9 didn't validate but
that
> > Python 2.7.9+ does. I worry that if Redhat (or anyone) ships a Python
2.7.9
> > that doesn't verify by default then they are going to be shipping
something
> > which defies the expectations of those users who were relying on the
fact
> > that
> > Python 2.7.9+ was supposed to be secure by default now. You're
> > (understandibly)
> > focusing on "I already have my thing running on Python 2.7.8 and I want
to
> > yum update and get 2.7.9 and have things not visibly break",
As Robert noted, it would be a matter of updating to a 2.7.5 with more
patches backported, rather than rebasing to a newer upstream version.
I can make the "do not change the default behaviour relative to the
corresponding upstream version" guidance explicit in the PEP, though.
Cheers,
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20150512/5f102069/attachment-0001.html>
More information about the Python-Dev
mailing list