[Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
David Malcolm
dmalcolm at redhat.com
Mon Jun 3 22:07:05 CEST 2013
More information about the Python-Dev mailing list
Mon Jun 3 22:07:05 CEST 2013
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 2013-06-03 at 12:48 -0400, Barry Warsaw wrote: > On Jun 03, 2013, at 09:05 AM, Ben Darnell wrote: > > >The data is analogous to the time zone database (PEP 431) in that it may > >need to be updated independently of Python's own release schedule, so we > >may want to use similar techniques to manage both. Also see certifi ( > >https://pypi.python.org/pypi/certifi), which is a copy of the Mozilla list > >in a pip-installable form. > > Right, this is very much analogous, except with the additional twist that > out-of-date certificates can pose a significant security risk. > > I'm fairly certain that Debian and Ubuntu would explicitly not use any > certificates shipped with Python, for two main reasons: 1) our security teams > already manage the certificate store distro-wide and we want to make sure that > one update fixes everything; 2) we don't want to duplicate code in multiple > packages[1]. Fedora/RHEL are in a similar position; I expect we'd rip out the bundled certs in our builds shortly after unzipping the tarball, and use a system-wide cert store (I "rm -rf" bundled libraries in our builds, to make sure we're not using them). [...snip...]
- Previous message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Next message: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list