On Jan 23, 2014, at 10:09 PM, Donald Stufft <donald at stufft.io> wrote: > > On Jan 23, 2014, at 10:06 PM, Stephen J. Turnbull <stephen at xemacs.org> wrote: > >> Wes Turner writes: >>>> But if it's only the already security-conscious developers and >>>> managers who go WTF?, and other environments don't do this by default, >>>> I'd consider that a "dangerous curve, slow down" sign. >>> >>> Mitigations: >>> >>> **Packaging** >>> >>> * Upgrade setuptools (distribute, zc.buildout) >>> * Avoid easy_install, python setup.py install, and python setup.py develop >>> (until it can be verified that the installed version of setuptools contains >>> VerifyingHTTPSHandler [1]) >> >> Are you kidding? These *aren't* the apps that I care about breaking, >> and I know that the PHBs won't pay attention to what I say about >> fixing their sites and cert chains (believe me, I've tried, and the >> answer is as Paul Moore says: the users can punch the "go ahead anyway >> button," what's the big deal here?), they'll just deprecate Python. >> >> My question remains: >> >>>> Are you telling me that Perl, PHP, and Ruby *do* verify certs by >>>> default in their "batteries included" stdlibs, and developers using >>>> those languages have been turning that feature off in their code for, >>>> like, you know, well, for-EVER man!? >> >> I find that hard to believe, given that the security of the network >> remains broken yet there aren't warnings out to avoid these platforms. >> (BTW, my employer prides itself on being Matz's alma mater ... they >> actually might do something if Ruby was breaking things!) > > Ruby has verified the peer by default since Ruby 1.9 > > Go also verifies by default, I’m not aware if PHP or Perl do. Oh, Node.js also verifies by default, PHP apparently does not. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://mail.python.org/pipermail/python-dev/attachments/20140123/b1dbc467/attachment.sig>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4