[Python-Dev] PYTHONHTTPSVERIFY env var
Antoine Pitrou
solipsis at pitrou.net
Mon May 11 12:39:12 CEST 2015
More information about the Python-Dev mailing list
Mon May 11 12:39:12 CEST 2015
- Previous message (by thread): [Python-Dev] PYTHONHTTPSVERIFY env var
- Next message (by thread): [Python-Dev] PYTHONHTTPSVERIFY env var
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I'm in entire agreement with Donald below. Regards Antoine. On Mon, 11 May 2015 06:23:11 -0400 Donald Stufft <donald at stufft.io> wrote: > > I don't really agree that the decision to disable TLS is an environment one, > it's really a per application decision. This is why I was against having some > sort of global off switch for all of Python because just because one > application needs it turned off doesn't mean you want it turned off for another > Python application. You might have some script that is interacting with a > custom internal server which doesn’t have a valid TLS certificate but then you > also have pip* installed which is reaching out to PyPI and downloading code > from the internet. You might want to disable TLS verification for the first but > you almost certainly don't want it to disable TLS verification for the second > one. > > In this regard I think that environment variables are somewhat better because > they are far easier to set per application instead of in a way that affects > every python program. Per application is the *right* scope for this setting, > especially in a system where people may or may not realize what is written in > Python and what isn't. I think it's absolutely wrong to give people a footgun > in the terms of a switch that turns off all of Python's TLS verification when > for many applications the fact they use Python is simply an implementation > detail. > > That being said, since it's not being included in Python core and it's only > some patch that some downstream's are going to apply I also don't really care > that much because it's not going to effect me and if it turns out to be a bad > idea and a footgun like I think it is, then the blame can rest on those > downstreams and not us :) > > I'm also not a fan of the environment variable either really for a lot of the > reasons you've outlined here. > > * Ignoring the fact that pip has (via requests/urllib3) worked around this > deficiency in Python and isn't going to be affected by this configuration > switch at all. > > > --- > Donald Stufft > PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > >
- Previous message (by thread): [Python-Dev] PYTHONHTTPSVERIFY env var
- Next message (by thread): [Python-Dev] PYTHONHTTPSVERIFY env var
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list