[Python-checkins] peps: PEP 493: Update for python-dev comments
nick.coghlan
python-checkins at python.org
Mon Nov 23 18:31:32 EST 2015
https://hg.python.org/peps/rev/8decac213ebf
changeset: 6130:8decac213ebf
user: Nick Coghlan <ncoghlan at gmail.com>
date: Tue Nov 24 09:30:31 2015 +1000
summary:
PEP 493: Update for python-dev comments
* Describe the fallback in the absence of the PEP
* Check sys.flags.ignore_environment in sample code
* Explicitly limit backport scope to Linux distros
* Explicitly cover (lack of) interaction with virtualenv
files:
pep-0493.txt | 62 ++++++++++++++++++++++++++++++++-------
1 files changed, 50 insertions(+), 12 deletions(-)
diff --git a/pep-0493.txt b/pep-0493.txt
--- a/pep-0493.txt
+++ b/pep-0493.txt
@@ -9,7 +9,7 @@
Type: Informational
Content-Type: text/x-rst
Created: 10-May-2015
-Post-History: 06-Jul-2015
+Post-History: 06-Jul-2015, 11-Nov-2015, 24-Nov-2015
Abstract
@@ -74,6 +74,23 @@
version of Python 3 (whether published directly by the Python Software
Foundation or by a redistributor).
+Alternatives
+------------
+
+In the absence of clear upstream guidance and recommendations, commercial
+redistributors will still make their own design decisions in the interests of
+their customers. The main approaches available are:
+
+* Continuing to rebase on new Python 2.7.x releases, while providing no
+ additional assistance beyond the mechanisms defined in PEP 476 in migrating
+ from unchecked to checked hostnames in standard library HTTPS clients
+* Gating availability of the improved default handling of HTTPS connections on
+ upgrading from Python 2 to Python 3
+* For Linux distribution vendors, gating availability of the improved default
+ handling of HTTPS connections on upgrading to a new operating system version
+* Implementing one or both of the design suggestions described in this PEP,
+ regardless of the formal status of the PEP
+
Requirements for capability detection
=====================================
@@ -150,9 +167,10 @@
_https_verify_envvar = 'PYTHONHTTPSVERIFY'
def _get_https_context_factory():
- config_setting = os.environ.get(_https_verify_envvar)
- if config_setting == '0':
- return _create_unverified_context
+ if not sys.flags.ignore_environment:
+ config_setting = os.environ.get(_https_verify_envvar)
+ if config_setting == '0':
+ return _create_unverified_context
return create_default_context
_create_default_https_context = _get_https_context_factory()
@@ -170,6 +188,13 @@
and any attacker with such access would already be able to modify the
behaviour of the underlying OpenSSL implementation.
+Interaction with Python virtual environments
+--------------------------------------------
+
+This setting is read directly from the process environment, and hence works
+the same way regardless of whether or not the interpreter is being run inside
+an activated Python virtual environment.
+
Recommendation for backporting to earlier Python versions
=========================================================
@@ -233,9 +258,11 @@
Recommended file location
-------------------------
-This approach is currently only defined for \*nix system Python installations.
+As the PEP authors are not aware of any vendors providing long-term support
+releases targeting Windows, Mac OS X or \*BSD systems, this approach is
+currently only specifically defined for Linux system Python installations.
-The recommended configuration file name is
+The recommended configuration file name on Linux systems is
``/etc/python/cert-verification.cfg``.
The ``.cfg`` filename extension is recommended for consistency with the
@@ -248,6 +275,9 @@
The configuration file should use a ConfigParser ini-style format with a
single section named ``[https]`` containing one required setting ``verify``.
+The suggested section name is taken from the "https" URL schema passed to
+affected client APIs.
+
Permitted values for ``verify`` are:
* ``enable``: ensure HTTPS certificate verification is enabled by default
@@ -319,6 +349,13 @@
variable has the essential feature of providing a smoother migration path, even
for applications being run with the ``-E`` switch.
+Interaction with Python virtual environments
+--------------------------------------------
+
+This setting is scoped by the interpreter installation and affects all Python
+processes using that interpreter, regardless of whether or not the interpreter
+is being run inside an activated Python virtual environment.
+
Combining the recommendations
=============================
@@ -341,12 +378,13 @@
_cert_verification_config = '/etc/python/cert-verification.cfg'
def _get_https_context_factory():
- # Check for am environmental override of the default behaviour
- config_setting = os.environ.get(_https_verify_envvar)
- if config_setting is not None:
- if config_setting == '0':
- return _create_unverified_context
- return create_default_context
+ # Check for an environmental override of the default behaviour
+ if not sys.flags.ignore_environment:
+ config_setting = os.environ.get(_https_verify_envvar)
+ if config_setting is not None:
+ if config_setting == '0':
+ return _create_unverified_context
+ return create_default_context
# Check for a system-wide override of the default behaviour
context_factories = {
--
Repository URL: https://hg.python.org/peps
More information about the Python-checkins
mailing list