On Sat, 30 Aug 2014 14:03:57 +0200, "M.-A. Lemburg" <mal at egenix.com> wrote: > On 30.08.2014 12:55, Antoine Pitrou wrote: > > On Sat, 30 Aug 2014 12:46:47 +0200 > > "M.-A. Lemburg" <mal at egenix.com> wrote: > >>> That use case should be served with the SSL_CERT_DIR and SSL_CERT_FILE > >>> env vars (or, better, by specific settings *inside* the application). > >>> > >>> I'm against multiplying environment variables, as it makes it more > >>> difficult to assess the actual security of a setting. The danger of an > >>> ill-secure setting is much more severe than with hash randomization. > >> > >> You have a point there. So how about just a python run-time switch > >> and no env var ? > > > > Well, why not, but does it have a value over letting the code properly > > configure their SSLContext? > > Yes, because when Python changes the default to be validating > and more secure, application developers will do the same as > they do now: simply use the defaults ;-) But neither of those addresses the articulated use case: someone *using* a program implemented in python that does not itself provide a way to disable the new default security (because it is *new*). Only an environment variable will do that. Since the environment variable is opt-in, I think the "consenting adults" argument applies to Alex's demure about "multiple connections". It could still emit the warnings. --David
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4