[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython) (original) (raw)
David Malcolm dmalcolm at redhat.com
Mon Jun 3 22:07:05 CEST 2013
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 2013-06-03 at 12:48 -0400, Barry Warsaw wrote:
On Jun 03, 2013, at 09:05 AM, Ben Darnell wrote:
>The data is analogous to the time zone database (PEP 431) in that it may >need to be updated independently of Python's own release schedule, so we >may want to use similar techniques to manage both. Also see certifi ( >https://pypi.python.org/pypi/certifi), which is a copy of the Mozilla list >in a pip-installable form. Right, this is very much analogous, except with the additional twist that out-of-date certificates can pose a significant security risk. I'm fairly certain that Debian and Ubuntu would explicitly not use any certificates shipped with Python, for two main reasons: 1) our security teams already manage the certificate store distro-wide and we want to make sure that one update fixes everything; 2) we don't want to duplicate code in multiple packages[1].
Fedora/RHEL are in a similar position; I expect we'd rip out the bundled certs in our builds shortly after unzipping the tarball, and use a system-wide cert store (I "rm -rf" bundled libraries in our builds, to make sure we're not using them).
[...snip...]
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]