Message 121480 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	asdfasdfasdfasdfasdfasdfasdf
Recipients	asdfasdfasdfasdfasdfasdfasdf, eric.araujo, loewis, pitrou
Date	2010-11-18.17:12:38
SpamBayes Score	6.3540284e-12
Marked as misclassified	No
Message-id	<AANLkTikWiTyJ1O7mns6o50bQbeufS2er=9=WBYHCut1J@mail.gmail.com>
In-reply-to	<1290098923.3522.5.camel@localhost.localdomain>

Content
On 19 November 2010 03:48, Antoine Pitrou <report@bugs.python.org> wrote: > > Antoine Pitrou <pitrou@free.fr> added the comment: > >> > This may not be satisfying to users. For example, our Windows >> > distribution doesn't ship with any certicates (AFAIK); I have no >> > clue where exactly OpenSSL would be looking for them, either. >> > People worried about this problem probably would want a way to >> > fill the list of trusted CA certificates. > > Right, this is just a helper in case OpenSSL is configured correctly by > the OS vendor (the OpenSSL packaged by Linux distros usually is). > >> Erh, those people can already do this, but the problem is by default >> none are selected. >> IMHO something is probably better than nothing in this case(by default). > > We can't change anything by default since it would break > compatibility. We can just provide helpers and arguments to make it easy > to switch to a more "secure" behaviour (for some meaning of secure). what about an environmental setting that can be used to enforce checking (or the like) ?

On 19 November 2010 03:48, Antoine Pitrou <report@bugs.python.org> wrote:
>
> Antoine Pitrou <pitrou@free.fr> added the comment:
>
>> > This may not be satisfying to users. For example, our Windows
>> > distribution doesn't ship with any certicates (AFAIK); I have no
>> > clue where exactly OpenSSL would be looking for them, either.
>> > People worried about this problem probably would want a way to
>> > fill the list of trusted CA certificates.
>
> Right, this is just a helper in case OpenSSL is configured correctly by
> the OS vendor (the OpenSSL packaged by Linux distros usually is).
>
>> Erh, those people can already do this, but the problem is by default
>> none are selected.
>> IMHO something is probably better than nothing in this case(by default).
>
> We can't change anything *by default* since it would break
> compatibility. We can just provide helpers and arguments to make it easy
> to switch to a more "secure" behaviour (for some meaning of secure).

what about an environmental setting that can be used to enforce
checking (or the like) ?

History
Date	User	Action	Args
2010-11-18 17:12:39	asdfasdfasdfasdfasdfasdfasdf	set	recipients: + asdfasdfasdfasdfasdfasdfasdf, loewis, pitrou, eric.araujo
2010-11-18 17:12:38	asdfasdfasdfasdfasdfasdfasdf	link	issue10441 messages
2010-11-18 17:12:38	asdfasdfasdfasdfasdfasdfasdf	create