On Jun 3, 2013, at 12:52 PM, Barry Warsaw <ba...@python.org> wrote: > On Jun 03, 2013, at 03:12 AM, Donald Stufft wrote: > >> That's fine with me too. My only reason for wanting to use the system certs >> first is so if someone has modified their system certs (say to include a >> corporate cert) that it would ideally take affect for Python as well. > > This reminds me of one other thing. We have to make sure that the APIs > (e.g urlopen()) continue to allow us to use self-signed certificates, if for > no other reason than for testing purposes. OTOH, taking this away would be a > backward incompatible change in API so probably wouldn't happen anyway. > > -Barry > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/donald%40stufft.io
The other additional comment I'd like to throw in here is that if we don't bundle SSL certs I think we should still verify by default (which means HTTPS urls will throw an error by default if we can't locate a certificate store) because I think the risk to people unknowingly thinking that their HTTPS urls are protected are significant enough that this "error" shouldn't be silent by default. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
