Author pitrou
Recipients christian.heimes, gvanrossum, pitrou
Date 2013-10-19.11:53:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1382183555.2517.7.camel@fsol>
In-reply-to <1382148431.62.0.979877534199.issue19292@psf.upfronthosting.co.za>
Content
> Why is this not a security patch? Because it's not a "vulnerability"
> in the narrow technical sense? I expect that it will greatly increase
> the actual practical security, by making it easier to do the right
> thing.

IMO it's not a vulnerability. It's not a security hole in Python: the
flag is there for people to turn on or off, and the whole thing is
documented (with a highly visible red warning). The situation is
actually much better than in 2.7.

I would also like to point out Python isn't a Web browser: its use cases
are wider, and there's no default interactive UI to allow the user to
bypass certificate issues (which are still common nowadays on the
Internet). I think it makes it much less appropriate to be "strict by
default".
History
Date User Action Args
2013-10-19 11:53:07pitrousetrecipients: + pitrou, gvanrossum, christian.heimes
2013-10-19 11:53:07pitroulinkissue19292 messages
2013-10-19 11:53:07pitroucreate