[Python-Dev] PYTHONHTTPSVERIFY env var (original) (raw)

Antoine Pitrou solipsis at pitrou.net
Mon May 11 12:39:12 CEST 2015

• Previous message (by thread): [Python-Dev] PYTHONHTTPSVERIFY env var
• Next message (by thread): [Python-Dev] PYTHONHTTPSVERIFY env var
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm in entire agreement with Donald below.

Regards

Antoine.

On Mon, 11 May 2015 06:23:11 -0400 Donald Stufft <donald at stufft.io> wrote:

I don't really agree that the decision to disable TLS is an environment one, it's really a per application decision. This is why I was against having some sort of global off switch for all of Python because just because one application needs it turned off doesn't mean you want it turned off for another Python application. You might have some script that is interacting with a custom internal server which doesn’t have a valid TLS certificate but then you also have pip* installed which is reaching out to PyPI and downloading code from the internet. You might want to disable TLS verification for the first but you almost certainly don't want it to disable TLS verification for the second one. In this regard I think that environment variables are somewhat better because they are far easier to set per application instead of in a way that affects every python program. Per application is the right scope for this setting, especially in a system where people may or may not realize what is written in Python and what isn't. I think it's absolutely wrong to give people a footgun in the terms of a switch that turns off all of Python's TLS verification when for many applications the fact they use Python is simply an implementation detail. That being said, since it's not being included in Python core and it's only some patch that some downstream's are going to apply I also don't really care that much because it's not going to effect me and if it turns out to be a bad idea and a footgun like I think it is, then the blame can rest on those downstreams and not us :) I'm also not a fan of the environment variable either really for a lot of the reasons you've outlined here. * Ignoring the fact that pip has (via requests/urllib3) worked around this deficiency in Python and isn't going to be affected by this configuration switch at all.

--- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

• Previous message (by thread): [Python-Dev] PYTHONHTTPSVERIFY env var
• Next message (by thread): [Python-Dev] PYTHONHTTPSVERIFY env var
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list