Message 121500 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	asdfasdfasdfasdfasdfasdfasdf
Recipients	asdfasdfasdfasdfasdfasdfasdf, eric.araujo, loewis, pitrou
Date	2010-11-19.01:46:44
SpamBayes Score	3.5377257e-13
Marked as misclassified	No
Message-id	<AANLkTim-wS1z1rC+fv3YPNPh7dJ4XX=n-WTcHuBADfp8@mail.gmail.com>
In-reply-to	<4CE564F5.60401@v.loewis.de>

Content
On 19 November 2010 04:40, Martin v. Löwis <report@bugs.python.org> wrote: > > Martin v. Löwis <martin@v.loewis.de> added the comment: > >>> This may not be satisfying to users. For example, our Windows >>> distribution doesn't ship with any certicates (AFAIK); I have no >>> clue where exactly OpenSSL would be looking for them, either. >>> People worried about this problem probably would want a way to >>> fill the list of trusted CA certificates. >>> >> >> Martin does it matter? >> To be honest I don't know about that many client side python windows >> applications for which this is a problem for. Maybe I am mistaken. > > I can't understand why you are saying that. The very same issues > that people perceive as problems on Unix ("users can be victim > to man in the middle attack") also exist on Windows. If you run > a Python script that does https on Windows, you can also be > MITM-victim (as likely as you can on Unix, that is). > > Or are you suggesting that Python Windows applications don't use SSL? > >> If >> this is the case, then how do these projects work at the moment? (or >> do they just not care about this...) . > > "The projects" may be scripts that somebody developed that never get > released. But yes, most people ignore/accept the problem (often as > gruntingly as the Unix users). > >> However, they could bundle >> their own certificates, so I don't see this as an issue. > > Who is "they"? Most people get their Python binaries from python.org, > and they don't build "applications" from it, but run "scripts". > >> However, you seem confused here: >> " I have no >>> clue where exactly OpenSSL would be looking for them, either. >>> People worried about this problem probably would want a way to >>> fill the list of trusted CA certificates." >> >> Erh, those people can already do this, but the problem is by default >> none are selected. > > You misunderstood. I was not proposing that scripts provide a CA > list, but that users might deploy a CA list into their Python > installation, which is then picked up in the same way as you are asking > for on Ubuntu. No I did not misunderstand at all. I am pushing for safer defaults or a way to enable safe defaults. Having to tamper with my python path and point at a modified version of the ssl module doesn't sound like fun. OH windows users those guys. Well if they don't have any certificates at the moment and they don't know this, perhaps some one should tell them? I don't know I am not a windows python user.

On 19 November 2010 04:40, Martin v. Löwis <report@bugs.python.org> wrote:
>
> Martin v. Löwis <martin@v.loewis.de> added the comment:
>
>>> This may not be satisfying to users. For example, our Windows
>>> distribution doesn't ship with any certicates (AFAIK); I have no
>>> clue where exactly OpenSSL would be looking for them, either.
>>> People worried about this problem probably would want a way to
>>> fill the list of trusted CA certificates.
>>>
>>
>> Martin does it matter?
>> To be honest I don't know about that many client side python windows
>> applications for which this is a problem for. Maybe I am mistaken.
>
> I can't understand why you are saying that. The very same issues
> that people perceive as problems on Unix ("users can be victim
> to man in the middle attack") also exist on Windows. If you run
> a Python script that does https on Windows, you can *also* be
> MITM-victim (as likely as you can on Unix, that is).
>
> Or are you suggesting that Python Windows applications don't use SSL?
>
>> If
>> this is the case, then how do these projects work at the moment? (or
>> do they just not care about this...) .
>
> "The projects" may be scripts that somebody developed that never get
> released. But yes, most people ignore/accept the problem (often as
> gruntingly as the Unix users).
>
>> However, they could bundle
>> their own certificates, so I don't see this as an issue.
>
> Who is "they"? Most people get their Python binaries from python.org,
> and they don't build "applications" from it, but run "scripts".
>
>> However, you seem confused here:
>> " I have no
>>> clue where exactly OpenSSL would be looking for them, either.
>>> People worried about this problem probably would want a way to
>>> fill the list of trusted CA certificates."
>>
>> Erh, those people can already do this, but the problem is by default
>> none are selected.
>
> You misunderstood. I was not proposing that scripts provide a CA
> list, but that users might deploy a CA list into their Python
> installation, which is then picked up in the same way as you are asking
> for on Ubuntu.

No I did not misunderstand at all.
I am pushing for safer defaults or a way to enable safe defaults.
Having to tamper with my python path and point at a modified version
of the ssl module doesn't sound like fun.

OH windows users those guys. Well if they don't have any certificates
at the moment and they don't know this, perhaps some one should tell
them?
I don't know I am not a windows python user.

History
Date	User	Action	Args
2010-11-19 01:46:47	asdfasdfasdfasdfasdfasdfasdf	set	recipients: + asdfasdfasdfasdfasdfasdfasdf, loewis, pitrou, eric.araujo
2010-11-19 01:46:44	asdfasdfasdfasdfasdfasdfasdf	link	issue10441 messages
2010-11-19 01:46:44	asdfasdfasdfasdfasdfasdfasdf	create