>> This may not be satisfying to users. For example, our Windows
>> distribution doesn't ship with any certicates (AFAIK); I have no
>> clue where exactly OpenSSL would be looking for them, either.
>> People worried about this problem probably would want a way to
>> fill the list of trusted CA certificates.
>>
> 
> Martin does it matter?
> To be honest I don't know about that many client side python windows
> applications for which this is a problem for. Maybe I am mistaken.

I can't understand why you are saying that. The very same issues
that people perceive as problems on Unix ("users can be victim
to man in the middle attack") also exist on Windows. If you run
a Python script that does https on Windows, you can *also* be
MITM-victim (as likely as you can on Unix, that is).

Or are you suggesting that Python Windows applications don't use SSL?

> If
> this is the case, then how do these projects work at the moment? (or
> do they just not care about this...) .

"The projects" may be scripts that somebody developed that never get
released. But yes, most people ignore/accept the problem (often as
gruntingly as the Unix users).

> However, they could bundle
> their own certificates, so I don't see this as an issue.

Who is "they"? Most people get their Python binaries from python.org,
and they don't build "applications" from it, but run "scripts".

> However, you seem confused here:
> " I have no
>> clue where exactly OpenSSL would be looking for them, either.
>> People worried about this problem probably would want a way to
>> fill the list of trusted CA certificates."
> 
> Erh, those people can already do this, but the problem is by default
> none are selected.

You misunderstood. I was not proposing that scripts provide a CA
list, but that users might deploy a CA list into their Python
installation, which is then picked up in the same way as you are asking
for on Ubuntu.