On Jun 03, 2013, at 02:21 PM, Donald Stufft wrote: >The other additional comment I'd like to throw in here is that if we don't >bundle SSL certs I think we should still verify by default (which means HTTPS >urls will throw an error by default if we can't locate a certificate store) >because I think the risk to people unknowingly thinking that their HTTPS urls >are protected are significant enough that this "error" shouldn't be silent by >default.
+1, especially if we ensure that the APIs are available to not verify, as is currently the case with urlopen(). I don't think people will want to do that in production, but it will be useful for testing (e.g. guess how I found issues 17977 :). -Barry
signature.asc
Description: PGP signature
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
