On Jan 22, 2014, at 9:33 AM, Christian Heimes <christ...@python.org> wrote:
> On 22.01.2014 15:12, Jesse Noller wrote: >> And no one reads it. I can't count the number of times I've gotten called >> into a managers office when they find out python doesn't do cert validation >> by default (and in 2, it's not been trivial) and gotten told to fix it, or >> we move off of python. >> >> Donald is perfectly right: every time you point out to users that this is >> the default behavior the response is almost universally "you can't be >> serious, is this a joke?" > > Yes, you are right. :( > > About two months ago (maybe three) I proposed to deprecated implicit SSL > context, unverified certs and unverified hostnames all together. But I > was voted down. Donald made a similar attempt half an year ago, too. Last time I tried the reasoning was that Python couldn’t ship root certs and we couldn’t get to the OS certs everywhere. Thanks to you this is fixed now, so “once more unto the breach”. > > Can't we just mark these things as pending deprecated in Python 3.4 so > people start fixing their code *now*? +10000 ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com