On Mon, Jun 3, 2013 at 1:04 PM, Barry Warsaw <[email protected]> wrote:
> On Jun 03, 2013, at 02:21 PM, Donald Stufft wrote: > > >The other additional comment I'd like to throw in here is that if we don't > >bundle SSL certs I think we should still verify by default (which means > HTTPS > >urls will throw an error by default if we can't locate a certificate > store) > >because I think the risk to people unknowingly thinking that their HTTPS > urls > >are protected are significant enough that this "error" shouldn't be > silent by > >default. > > +1, especially if we ensure that the APIs are available to not verify, as > is > currently the case with urlopen(). I don't think people will want to do > that > in production, but it will be useful for testing (e.g. guess how I found > issues 17977 :). > +1 from me as well. Whether we bundle or simply provide a command to download the certs I think making this default is the bare-minimum, especially if setting nothing more than cadefault=True is all that is needed to get this behaviour since that's backwards-compatible to Python 3.3.
_______________________________________________ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
