Author Dima.Tisnek
Recipients Arfrever, Dima.Tisnek, barry, benjamin.peterson, christian.heimes, dstufft, eric.araujo, fweimer, icordasc, jcea, lnussel, loewis, naif, pitrou
Date 2013-11-28.13:08:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1385644091.52.0.0091104416292.issue13655@psf.upfronthosting.co.za>
In-reply-to
Content
re: cert_paths = [...]

This approach is rather problematic, there's no guarantee that a path trusted on one system is trusted on another.

I saw this in setuptools branch, where it does:

for path in cert_path:
    if os.path.exists(path)
        return path

Let's say you're user1 on osx and your native true path is "/System/Library/OpenSSL/certs/cert.pem", can you guarantee that someone else, user2, cannot sneak their hacked files into "/etc/pki/" (presumably missing altogether) or "/usr/local/share/"?

Because if user2 can do that, suddenly user1 verifies all traffic against hacked ca list.
History
Date User Action Args
2013-11-28 13:08:11Dima.Tisneksetrecipients: + Dima.Tisnek, loewis, barry, jcea, pitrou, christian.heimes, benjamin.peterson, eric.araujo, Arfrever, naif, icordasc, dstufft, fweimer, lnussel
2013-11-28 13:08:11Dima.Tisneksetmessageid: <1385644091.52.0.0091104416292.issue13655@psf.upfronthosting.co.za>
2013-11-28 13:08:11Dima.Tisneklinkissue13655 messages
2013-11-28 13:08:09Dima.Tisnekcreate