Antoine Pitrou added the comment: > Why is this not a security patch? Because it's not a "vulnerability" > in the narrow technical sense? I expect that it will greatly increase > the actual practical security, by making it easier to do the right > thing.
IMO it's not a vulnerability. It's not a security hole in Python: the flag is there for people to turn on or off, and the whole thing is documented (with a highly visible red warning). The situation is actually much better than in 2.7. I would also like to point out Python isn't a Web browser: its use cases are wider, and there's no default interactive UI to allow the user to bypass certificate issues (which are still common nowadays on the Internet). I think it makes it much less appropriate to be "strict by default". ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue19292> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
