Kami commented on issue #1945: URL: https://github.com/apache/libcloud/issues/1945#issuecomment-1688297032
Thanks for reporting this. That code is pretty old and I'm wondering how much of it still relevant. It appears a lot of it was needed in the past due to compatibility with old Python version. I would personally feel much more comfortable if that code could be simplified to reduce all the possible permutations and edge cases. This should reduce the surface area and make security and other issues less likely. And in general I think that code is not following best practices. Doing something like this here (https://github.com/apache/libcloud/blob/abba8c1719a8bda6db8efde2d46fd1b423ae4304/libcloud/container/types.py#L19) and simply accepting any server certificate when that error is received seems like a bad and insecure practice to me. So if anything, that could should be removed. If we want to leave such option in the code, it should be an explicit opt-in by the end user - they need to understand and accept the consequences if they chose to skip ca cert validation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@libcloud.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
