[Python-Dev] PEP 476: Enabling certificate validation by default! (original) (raw)

Nick Coghlan ncoghlan at gmail.com
Wed Sep 3 12:34:32 CEST 2014

On 3 Sep 2014 18:28, "Cory Benfield" <cory at lukasa.co.uk> wrote:

This is definitely true, and this change is both. The only question that matters is whether we believe we're doing users a service by breaking their code. I'd argue, along with Glyph, Alex and Donald, that we are. I've been on the losing side of this debate a number of times though, and I expect I will be again.

The default stdlib behaviour will change in 3.5, I don't think anyone is disputing that. While I earlier said that should depend on the sslcustomize PEP, I now think they should be made orthogonal so the SSL customisation PEP can focus on its potential for increasing security in properly configured environments rather than deliberately decreasing it after upgrading to Python 3.5 in improperly configured ones.

The backwards compatibility argument only applies to Python 2 maintenance releases (where dreid indicated an intention to request backporting the change), and there I'm quite happy to take the position of "use requests, Twisted or Python 3.5+ to get HTTPS done right".

There are a variety of reasons not to use the Python 2 stdlib for modern networking, and making better tools more readily accessible to Python 2 users by backporting ensurepip is my preferred answer.

Regards, Nick. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20140903/36b5bd9a/attachment.html>

More information about the Python-Dev mailing list