R. David Murray added the comment: I do not understand why the vendors want to re-introduce a security hole.
I understand that it causes issues using legacy software to communicate with sites that don't verify, but I think that the correct solution to this is disabling verification on a per-transaction basis, similar to how wget and curl have command line options for. For Python I think this would mean an environment variable. I believe I suggested or supported this before and it was rejected (I don't particularly remember why). If you want to make it config file driven it ought to be keyed by site, not by protocol, IMO, and that seems like a suspect thing to put in a global configuration file. Introducing a global config file for Python is a significant architectural change, and merits a careful discussion (and probably a PEP). I don't think it is particularly useful to have this as a tracker issue at this stage. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue23857> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
