Re: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
On Tue, Jun 4, 2013 at 9:15 AM, Donald Stufft wrote: > Generally any of these will be completely valid options, even disabling the > checks. The idea behind my proposal is that people generally only use TLS > for a reason and that reason is they want to protect against the kinds of > attacks that TLS protects against. You really only get the bulk of those > protections if you validate the certificates. So for the vast bulk of people > validation is the option they want. It also happens that validation on by > default is "secure" by default which aims a fairly large foot gun away from > peoples feet. Yep. I absolutely agree, and if Python had been like this ever since 3.0, there would be no issue whatsoever. The only problem is that it's going to trip up people who have otherwise-working code that gets broken by a change of Python version. The problem isn't even in their code, it's in the remote end. I support making the change, but all of the solutions you propose require being aware of the problem. Somehow people will need to be told, preferably before it breaks something, that the default has changed. ChrisA ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Putting the Mac Build in the Apple App Store
In article <[email protected]>, Raymond Hettinger wrote: > Does anyone know what we would need to do to get Python in the Apple > application store as a free App? > > The default security settings on OS X 10.8 block the installation of the DMG > (or any software downloaded outside the app store). A number of my students > are having difficulty getting around it will help. The ReadMe file included in the current Python OS X installer DMGs explains exactly how to get around the problem: "If you are attempting to install on an OS X 10.8 system, you may see a message that Python can't be installed because it is from an unidentified developer. This is because this Python installer package is not yet compatible with the Gatekeeper security feature introduced in OS X 10.8. To allow Python to be installed, you can override the Gatekeeper policy for this install. In the Finder, instead of double-clicking, control-click or right click the "Python" installer package icon. Then select "Open using ... Installer" from the contextual menu that appears." There are a number of other installers that haven't been updated yet for Gatekeeper, including the currant ActiveState Tcl installers. The same technique works for all of them. This is basic knowledge needed to use OS X 10.8. Even so, the Python installer will get updated. > If we were in the app store, installation and upgrade would be a piece of > cake. Sorry but, under the current Apple app store rules, Python would never be accepted. Among other things, it would need to be "sandboxed" meaning it could only use a very limited set of OS APIs and would have very limited access to the user's file system. Such a Python would not be very usable. -- Ned Deily, [email protected] ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Putting the Mac Build in the Apple App Store
On 4 Jun, 2013, at 6:44, Raymond Hettinger wrote: > Does anyone know what we would need to do to get Python in the Apple > application store as a free App? > > The default security settings on OS X 10.8 block the installation of the DMG > (or any software downloaded outside the app store). A number of my students > are having difficulty getting around it will help. > > If we were in the app store, installation and upgrade would be a piece of > cake. A problem with the app store is that the Python installation should then be an app (for example IDLE.app), and that the application must be sandboxed. The latter is showstopper, as scripts run with the interpreter would be sandboxed as well and hence couldn't access most of the system. A better solution for the problem with OSX 10.8's security settings it sign the installer with a developer ID. It can then be opened by double clicking because the app is provided by an "identified developer". A problem with signing the installer is that this requires changes to the installer, we're currently using an ancient installer format that cannot be signed. That should be changed some time in the future anyway and signing the installer could be a good reason to work on that. BTW. There is a workaround that makes it possible to install without signing the installer: right-click on the installer and select "open" (instead of double clicking the installer). The system will then give a scary warning, but will allow installation anyway. Ronald > > > Raymond > > > ___ > Python-Dev mailing list > [email protected] > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/ronaldoussoren%40mac.com ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Validating SSL By Default (aka Including a Cert Bundle in CPython)
On 3 Jun, 2013, at 7:58, Benjamin Peterson wrote: > 2013/6/2 Donald Stufft : >> As of right now, as far as I can tell, Python does not validate HTTPS >> certificates by default. As far as I can tell this is because there is no >> guaranteed certificates available. >> >> So I would like to propose that CPython adopt the Mozilla SSL certificate >> list and include it in core, and switch over the API's so that they verify >> HTTPS by default. > > +1 > >> >> Ideally this would take the shape of attempting to locate the system >> certificate store if possible, and if that doesn't work falling back to the >> bundled certificates. That way the various Linux distros can easily have >> their copies of Python depend soley on their built in certs, but Windows, >> OSX, Source compiles etc will all still have a fallback value. > > My preference would be actually be for the included certificates file > to be used by default. This would provide a consistent experience > across platforms. We could provide options to look for system cert > repositories if desired. I'd prefer to use the system CA list when that's available. I've had to hunt down the CA list for a number of application when a custom CA for internal use and that's not fun, using the system list is much friendlier to users. Ronald ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Let's get rid of unbound methods
On 04/06/13 12:43, 探晴 wrote: Your email appears to be blank, except for a large chunk of HTML code. Did you have something specific to say other than the subject line? As for unbound methods, Guido's time machine strikes again. They're already gone in Python 3. py> class X: ... def spam(self): ... pass ... py> X.spam py> X().spam > -- Steven ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] [engineering.redhat.com #216557] [Fwd: Validating SSL By Default (aka Including a Cert Bundle in CPython)]
Hello David, Donald, David, thank you for sharing these intentions with us. On Mon Jun 03 15:56:09 2013, [email protected] wrote: > > As of right now, as far as I can tell, Python does not validate HTTPS > certificates by default. As far as I can tell this > is because there is no guaranteed certificates available. > > So I would like to propose that CPython adopt the Mozilla SSL certificate > list and include it in core, and switch over > the API's so that they verify HTTPS by default. Donald, we would only welcome this enhancement / proposal. To mention some examples - urllib2 and httplib modules: http://docs.python.org/2/library/urllib2.html http://docs.python.org/2/library/httplib.html are documented upstream not to perform SSL certificate verification by default (and due this fact there has been couple of CVE identifiers assigned in the past for applications that incorrectly assumed certificates would be validated when using these modules). So any enhancement, which can upstream done in this area, would be only welcome. > This is what most people are going to expect when using a https url > (Especially after learning that Python 2.x doesn't verify TLS, but Python 3.x > "does"). > > Ideally this would take the shape of attempting to locate the system > certificate store if possible, and if that doesn't > work falling back to the bundled certificates. That way the various Linux > distros can easily have their copies of Python > depend soley on their built in certs, but Windows, OSX, Source compiles etc > will all still have a fallback value. AFAWCT that proposal looks reasonable. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team > > - > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] Do you consider Python a 4GL? Why (not)?
Do you consider Python a 4GL? Why (not)? ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Do you consider Python a 4GL? Why (not)?
On Tue, Jun 4, 2013 at 4:53 PM, Carlos Nepomuceno < [email protected]> wrote: > Do you consider Python a 4GL? Why (not)? > By the wikipedia definition of 4GL and 5GL, I'd say Python is neither. And it's not a VHLL either, again according to the wikipedia definition. But IMO it is too high level to be a traditional 3GL too. Perhaps "Scripting language" is the best general category we have that Python fits into. But I hope not. ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] Do you consider Python a 4GL? Why (not)?
On Wed, Jun 5, 2013 at 11:17 AM, Dan Stromberg wrote: > > On Tue, Jun 4, 2013 at 4:53 PM, Carlos Nepomuceno > wrote: >> >> Do you consider Python a 4GL? Why (not)? > > > By the wikipedia definition of 4GL and 5GL, I'd say Python is neither. And > it's not a VHLL either, again according to the wikipedia definition. But > IMO it is too high level to be a traditional 3GL too. > > Perhaps "Scripting language" is the best general category we have that > Python fits into. But I hope not. I think this would be a fun discussion for python-list - just what IS Python? Here's some stuff on programming vs scripting: http://www.perl.com/pub/2007/12/06/soto-11.html (including an awesome line about actors and audience) ChrisA ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] PEP 443 Accepted
Łukasz, Congratulations! I've accepted PEP 443. I've already marked it as Accepted in the repo. I've also applied some very minor edits in order to make the text flow a little better in a few places. I think this is a great PEP -- it's simple, doesn't overreach, and you've managed the bikeshedding admirably. Thank you for your great contribution to Python! -- --Guido van Rossum (python.org/~guido) ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] PyPI upload error
I've just tried to upload to PyPI using setup.py and got this error: Upload failed (503): backend write error Can anyone tell me what it means? ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP 443 Accepted
Congratulations, Łukasz! -- ~Ethan~ ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PyPI upload error
On Jun 4, 2013, at 9:47 PM, MRAB wrote: > I've just tried to upload to PyPI using setup.py and got this error: > >Upload failed (503): backend write error > > Can anyone tell me what it means? > ___ > Python-Dev mailing list > [email protected] > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/donald%40stufft.io This is probably more appropriate for distutils-sig, but does it happen every time? or did it just happen once? - Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA signature.asc Description: Message signed with OpenPGP using GPGMail ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PyPI upload error
On 05/06/2013 03:07, Donald Stufft wrote: On Jun 4, 2013, at 9:47 PM, MRAB mailto:[email protected]>> wrote: I've just tried to upload to PyPI using setup.py and got this error: Upload failed (503): backend write error Can anyone tell me what it means? This is probably more appropriate for distutils-sig, but does it happen every time? or did it just happen once? It happened a couple of times, but worked some time later. I'll try to remember to ask distutils-sig next time. ___ Python-Dev mailing list [email protected] http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
