[Python-Dev] Enable Hostname and Certificate Chain Validation (original) (raw)
Cory Benfield cory at lukasa.co.uk
Fri Jan 24 09:22:54 CET 2014
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 24 January 2014 03:06, Stephen J. Turnbull <stephen at xemacs.org> wrote:
Are you kidding? These aren't the apps that I care about breaking, and I know that the PHBs won't pay attention to what I say about fixing their sites and cert chains (believe me, I've tried, and the answer is as Paul Moore says: the users can punch the "go ahead anyway button," what's the big deal here?), they'll just deprecate Python.
Surely the solution here isn't to say "well then, let's be insecure by default", it's to provide a "go ahead anyway" button. That at least lets us push the choice to be insecure by default onto someone else. The idea that an enterprise will deprecate Python instead of adding a single environment variable or one line at the top of their scripts seems hugely unlikely.
As an example, Requests provides a "stop verifying certs" button, and that works fine for us. (I know that Requests is outside the stdlib and so it's not a perfect analogy, but it's serviceable.) I suspect most people who want this change don't care if users have an easy way to circumvent it, we just want to have the user/enterprise make that choice for themselves. Put another way, we want the average user to fall into a pit of success.
- Previous message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Next message: [Python-Dev] Enable Hostname and Certificate Chain Validation
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]