On Mon, 6 Jul 2015 23:22:09 +1000 Nick Coghlan <ncoghlan at gmail.com> wrote: > On 6 Jul 2015 20:23, "Antoine Pitrou" <solipsis at pitrou.net> wrote: > > > > On Mon, 6 Jul 2015 14:22:46 +1000 > > Nick Coghlan <ncoghlan at gmail.com> wrote: > > > > > > The main change from the last version discussed on python-ideas > > > > Was it discussed there? That list has become totally useless, I've > > stopped following it. > > > > > * modify the ``ssl`` module to read the ``PYTHONHTTPSVERIFY`` > environment > > > variable when the module is first imported into a Python process > > > > Have you passed that by RedHat's security experts? > > Yeah, they were the ones that finally persuaded me that this design was > reasonable. If I understood their explanation correctly, the gist is that > if you're running with elevated permissions while allowing arbitrary > processes to set environment variables, you've already opened up so many > attack vectors that the only reasonable defence is "don't do that", and > hence higher level design decisions like sudo running in root's > environment, not the individual user's. Since having the selective > downgrade option available makes it easier to justify the default security > *up*grade, it works out as a net win. Thank you. Then I'm ok with the PEP. Regards Antoine.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4