This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Dima.Tisnek
Recipients Arfrever, Dima.Tisnek, barry, benjamin.peterson, christian.heimes, dstufft, eric.araujo, fweimer, icordasc, jcea, lnussel, loewis, naif, pitrou
Date 2013-11-28.13:08:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1385644091.52.0.0091104416292.issue13655@psf.upfronthosting.co.za>
In-reply-to
Content 
re: cert_paths = [...]

This approach is rather problematic, there's no guarantee that a path trusted on one system is trusted on another.

I saw this in setuptools branch, where it does:

for path in cert_path:
    if os.path.exists(path)
        return path

Let's say you're user1 on osx and your native true path is "/System/Library/OpenSSL/certs/cert.pem", can you guarantee that someone else, user2, cannot sneak their hacked files into "/etc/pki/" (presumably missing altogether) or "/usr/local/share/"?

Because if user2 can do that, suddenly user1 verifies all traffic against hacked ca list.
History
Date User Action Args
2013-11-28 13:08:11Dima.Tisneksetrecipients: + Dima.Tisnek, loewis, barry, jcea, pitrou, christian.heimes, benjamin.peterson, eric.araujo, Arfrever, naif, icordasc, dstufft, fweimer, lnussel
2013-11-28 13:08:11Dima.Tisneksetmessageid: <1385644091.52.0.0091104416292.issue13655@psf.upfronthosting.co.za>
2013-11-28 13:08:11Dima.Tisneklinkissue13655 messages
2013-11-28 13:08:09Dima.Tisnekcreate