Clarified the issue heading a bit, and cc'ed in the main Debian/Ubuntu folks.

Matthias, Barry - the attached patch here is aimed at making PEP 476 a bit more distro friendly by moving the "opt out" to a configuration file rather than requiring monkeypatching in sitecustomize.

For upstream, the key components of the proposal are to have a simple ini-style config file that makes it possible to toggle the behaviour of the "ssl._create_default_https_context" function:

$ cat cert-verification.conf
[https]
verify=disable

=> ssl._create_default_https_context = ssl._create_unverified_context


$ cat cert-verification.conf
[https]
verify=enable

=> ssl._create_default_https_context = ssl.create_default_context

If the config file is missing entirely, there's no https section in the file, or the "verify" setting is missing, then it would default to verifying HTTPS certificates.

As more protocols were moved over to verifying certificates by default, they could follow the same pattern of having a private helper function in the ssl module that referred to either _create_unverified_context() or create_default_context() based on whether certification verification was enabled or not.

It would also be possible to define a true overall ssl/tls default behaviour using this scheme, but I think that's out of scope for this particular proposal.