On 05.04.2015 22:49, Donald Stufft wrote:
> 
> Donald Stufft added the comment:
> 
>> I don't consider monkey patching a proper way to configure a Python
>> installation.
> 
> The point is that that TLS validation on/off isn't conceptually a Python level
> configuration option, that's going to be a per application configuration
> option. The monkeypatching is simply an escape hatch to give people time to
> update their applications (or pressure whoever wrote the application) to
> support the configuration option that really belongs at the application
> level. It *should* feel improper because the entire concept of a Python level
> on/off switch isn't proper and making it feel more proper by adding an official
> API or config file for doing it is only giving footguns out to people.

People upgrading to a new patch level Python release will *not*
expect or want to have to change their application to adapt to
it. That's simply not within the scope of a patch level release.

Furthermore, old applications such as Zope will (most likely) not
receive such updates.

Please accept that there's a whole universe out there where people
don't continually update their applications, but still want to
benefit from bug fixes to their underlying libs and tools. The
world is full of legacy systems, regardless of whether we like it
or not. There's no good or bad about this. It's just a fact of
life.

What I'm arguing for is a way for admins of such older systems
to be able to receive bug fixes for Python 2.7.x *without*
having to change the applications.

Using an environment setting and adding that to the application's
user account settings is an easy way to resolve the issue in
situations where other options are not feasible or simply not
deemed needed (Zope has been working without any egg verification
for years).