Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2015-November/142294.html below:

[Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)

• Previous message (by thread): [Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
• Next message (by thread): [Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There's a lot to process in this thread, but as I see it, the issue breaks
down to these questions:

* How should PEP 493 be implemented?

* What should the default be?

* How should PEP 493 be worded to express the right tone to redistributors?

Let me take on the implementation details here.

On Nov 24, 2015, at 04:04 PM, M.-A. Lemburg wrote:

>I would still find having built-in support for the recommendations
>in the Python stdlib a better approach

As would I.

Currently the PEP contains some sample code for reading a configuration file
and an environment variable, and assigning the default behavior based on these
values.

The first improvement to the stdlib I would have made would have been to add
a convenience function to ssl to enable and disable the verification.
Something like this:

    def ssl.verify_certificates(enable)

Then at the simplest level, an application that wants to enable higher
security could do this early in its main entry point:

    import ssl
    if hasattr(ssl, 'verify_certificates'):
        ssl.verify_certificates(True)

or

    ...
        ssl.verify_certificates(False)

and that would work regardless of the platform default, and it would work
properly on older versions of Python 2.7 that didn't have the backport.  This
seems so straightforward, I'm wondering why PEP 493 doesn't consider it.

I would like to see the sample code in PEP 493 implemented in the stdlib.  It
would then be a matter of cherry picking that should a distro decide to
backport it.  It means one less non-trivial delta from upstream which has to
be managed separately.  The only difference to the combined approach I'd make
is to handle the case where the _cert_verification_config file doesn't exist.

(If you included the convenience method above, then the sample code could be
simplified down to a default for the `enable` parameter and a call to
ssl.verify_certificates().)

Is it too late to include both of those suggestions in PEP 493 and Python
2.7.11?

Cheers,
-Barry

• Previous message (by thread): [Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
• Next message (by thread): [Python-Dev] Request for pronouncement on PEP 493 (HTTPS verification backport guidance)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4