Full Disclosure mailing list archives
Re: [PSRT] Python ssl handling could be better...
From: Barry Warsaw <barry () python org>
Date: Mon, 28 Feb 2011 15:21:39 -0500
On Feb 28, 2011, at 10:37 AM, bk wrote:
I think we should be happy with the inclusion of such options in 3.2....No, I'm not going to be happy about an after-thought fix. At least httplib.py should never have been put in the tree without an option to tell ssl.py to verify the server cert. FFS they have client cert support, would it REALLY be that hard to pass the verification parameter to ssl.py? No, it's just sheer ignorance of security.
Maybe I missed it, but do you have a specific patch you want us to review? As for back porting to stable release versions, that will have to be determined by the release managers for each version, and that can only be done once there are actual patches we can look at. All versions of Python prior to 3.3 are now in stable release mode, so (speaking as the Python 2.6 RM) patches that add new features or change API just can't be accepted. I'm skeptical, but if there are backward compatible changes that can be added as a bug fix to Python 3.2 or 2.7, those might be considered. The best way to handle the situation in that case is: * Develop a patch for Python 3.3 which includes unit tests and documentation, get it reviewed, and lobby the Python community for inclusion in 3.3. * Back port the changes to a standalone library for earlier versions of Python and release these on the Cheeseshop. * Evangelize these separate packages for users who want the full security of authenticated encrypted channels. Please understand that these policies have been in place for many years and we adhere to them after many hard lessons learned. -Barry
Attachment:
signature.asc
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Python ssl handling could be better... bk (Feb 26)
- Re: Python ssl handling could be better... dave b (Feb 27)
- Re: Python ssl handling could be better... bk (Feb 27)
- Re: Python ssl handling could be better... Marsh Ray (Feb 28)
- Re: Python ssl handling could be better... bk (Feb 27)
- <Possible follow-ups>
- Re: Python ssl handling could be better... Michael Krymson (Feb 28)
- Re: Python ssl handling could be better... bk (Feb 28)
- Re: [PSRT] Python ssl handling could be better... Barry Warsaw (Feb 28)
- Re: Python ssl handling could be better... Brian Keefer (Feb 28)
- Re: Python ssl handling could be better... bk (Feb 28)
- Re: Python ssl handling could be better... dave b (Feb 27)