[Python-checkins] peps: PEP 493: Update for python-dev comments

nick.coghlan python-checkins at python.org
Mon Nov 23 18:31:32 EST 2015 

https://hg.python.org/peps/rev/8decac213ebf
changeset:   6130:8decac213ebf
user:        Nick Coghlan <ncoghlan at gmail.com>
date:        Tue Nov 24 09:30:31 2015 +1000
summary:
  PEP 493: Update for python-dev comments

* Describe the fallback in the absence of the PEP
* Check sys.flags.ignore_environment in sample code
* Explicitly limit backport scope to Linux distros
* Explicitly cover (lack of) interaction with virtualenv

files:
  pep-0493.txt |  62 ++++++++++++++++++++++++++++++++-------
  1 files changed, 50 insertions(+), 12 deletions(-)


diff --git a/pep-0493.txt b/pep-0493.txt
--- a/pep-0493.txt
+++ b/pep-0493.txt
@@ -9,7 +9,7 @@
 Type: Informational
 Content-Type: text/x-rst
 Created: 10-May-2015
-Post-History: 06-Jul-2015
+Post-History: 06-Jul-2015, 11-Nov-2015, 24-Nov-2015
 
 
 Abstract
@@ -74,6 +74,23 @@
 version of Python 3 (whether published directly by the Python Software
 Foundation or by a redistributor).
 
+Alternatives
+------------
+
+In the absence of clear upstream guidance and recommendations, commercial
+redistributors will still make their own design decisions in the interests of
+their customers. The main approaches available are:
+
+* Continuing to rebase on new Python 2.7.x releases, while providing no
+  additional assistance beyond the mechanisms defined in PEP 476 in migrating
+  from unchecked to checked hostnames in standard library HTTPS clients
+* Gating availability of the improved default handling of HTTPS connections on
+  upgrading from Python 2 to Python 3
+* For Linux distribution vendors, gating availability of the improved default
+  handling of HTTPS connections on upgrading to a new operating system version
+* Implementing one or both of the design suggestions described in this PEP,
+  regardless of the formal status of the PEP
+
 
 Requirements for capability detection
 =====================================
@@ -150,9 +167,10 @@
     _https_verify_envvar = 'PYTHONHTTPSVERIFY'
 
     def _get_https_context_factory():
-        config_setting = os.environ.get(_https_verify_envvar)
-        if config_setting == '0':
-            return _create_unverified_context
+        if not sys.flags.ignore_environment:
+            config_setting = os.environ.get(_https_verify_envvar)
+            if config_setting == '0':
+                return _create_unverified_context
         return create_default_context
 
     _create_default_https_context = _get_https_context_factory()
@@ -170,6 +188,13 @@
 and any attacker with such access would already be able to modify the
 behaviour of the underlying OpenSSL implementation.
 
+Interaction with Python virtual environments
+--------------------------------------------
+
+This setting is read directly from the process environment, and hence works
+the same way regardless of whether or not the interpreter is being run inside
+an activated Python virtual environment.
+
 
 Recommendation for backporting to earlier Python versions
 =========================================================
@@ -233,9 +258,11 @@
 Recommended file location
 -------------------------
 
-This approach is currently only defined for \*nix system Python installations.
+As the PEP authors are not aware of any vendors providing long-term support
+releases targeting Windows, Mac OS X or \*BSD systems, this approach is
+currently only specifically defined for Linux system Python installations.
 
-The recommended configuration file name is
+The recommended configuration file name on Linux systems is
 ``/etc/python/cert-verification.cfg``.
 
 The ``.cfg`` filename extension is recommended for consistency with the
@@ -248,6 +275,9 @@
 The configuration file should use a ConfigParser ini-style format with a
 single section named ``[https]`` containing one required setting ``verify``.
 
+The suggested section name is taken from the "https" URL schema passed to
+affected client APIs.
+
 Permitted values for ``verify`` are:
 
 * ``enable``: ensure HTTPS certificate verification is enabled by default
@@ -319,6 +349,13 @@
 variable has the essential feature of providing a smoother migration path, even
 for applications being run with the ``-E`` switch.
 
+Interaction with Python virtual environments
+--------------------------------------------
+
+This setting is scoped by the interpreter installation and affects all Python
+processes using that interpreter, regardless of whether or not the interpreter
+is being run inside an activated Python virtual environment.
+
 
 Combining the recommendations
 =============================
@@ -341,12 +378,13 @@
     _cert_verification_config = '/etc/python/cert-verification.cfg'
 
     def _get_https_context_factory():
-        # Check for am environmental override of the default behaviour
-        config_setting = os.environ.get(_https_verify_envvar)
-        if config_setting is not None:
-            if config_setting == '0':
-                return _create_unverified_context
-            return create_default_context
+        # Check for an environmental override of the default behaviour
+        if not sys.flags.ignore_environment:
+            config_setting = os.environ.get(_https_verify_envvar)
+            if config_setting is not None:
+                if config_setting == '0':
+                    return _create_unverified_context
+                return create_default_context
 
         # Check for a system-wide override of the default behaviour
         context_factories = {

-- 
Repository URL: https://hg.python.org/peps

More information about the Python-checkins mailing list