'Re: [Full-disclosure] [PSRT] Python ssl handling could be better...'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] [PSRT] Python ssl handling could be better...
From:       Barry Warsaw <barry () python ! org>
Date:       2011-02-28 20:21:39
Message-ID: 20110228152139.0b772896 () limelight ! wooz ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


On Feb 28, 2011, at 10:37 AM, bk wrote:

>> I think we should be happy with the inclusion of such options in 3.2....
>
>No, I'm not going to be happy about an after-thought fix.  At least
>httplib.py should never have been put in the tree without an option to tell
>ssl.py to verify the server cert.  FFS they have client cert support, would
>it REALLY be that hard to pass the verification parameter to ssl.py?  No,
>it's just sheer ignorance of security.

Maybe I missed it, but do you have a specific patch you want us to review?

As for back porting to stable release versions, that will have to be
determined by the release managers for each version, and that can only be d=
one
once there are actual patches we can look at.  All versions of Python prior=
 to
3.3 are now in stable release mode, so (speaking as the Python 2.6 RM) patc=
hes
that add new features or change API just can't be accepted.  I'm skeptical,
but if there are backward compatible changes that can be added as a bug fix=
 to
Python 3.2 or 2.7, those might be considered.

The best way to handle the situation in that case is:

* Develop a patch for Python 3.3 which includes unit tests and documentatio=
n,
  get it reviewed, and lobby the Python community for inclusion in 3.3.

* Back port the changes to a standalone library for earlier versions of Pyt=
hon
  and release these on the Cheeseshop.

* Evangelize these separate packages for users who want the full security of
  authenticated encrypted channels.

Please understand that these policies have been in place for many years and=
 we
adhere to them after many hard lessons learned.

-Barry

["signature.asc" (application/pgp-signature)]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic