Re: [Python-Dev] PEP476: Enabling certificate validation by default
On 19.09.2014 18:53, Alex Gaynor wrote: > Hi all, > > I've just updated the PEP to reflect the API suggestions from Nick, and the > fact that the necessary changes to urllib were landed. > > I think this is ready for pronouncement, Guido? There is still the issue with SSL_CERT_DIR and SSL_CERT_FILE on Windows and Apple's OpenSSL builds on OSX. I've opened a bug report http://bugs.python.org/issue22449 tl;dr On Windows SSL_CERT_DIR and SSL_CERT_FILE are simply ignored by SSLContext.load_verify_locations. On OSX Apple's Trust Evaluation Agent adds certs behind the scene. ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP476: Enabling certificate validation by default
Done and done. Alex On Fri, Sep 19, 2014 at 4:13 PM, Guido van Rossum wrote: > +1 on Nick's suggestion. (Might also mention that this is the reason why > both functions should exist and have compatible signatures.) > > Also please, please, please add explicit mention of Python 2.7, 3.4 and > 3.5 in the Abstract (for example in the 3rd paragraph of the abstract). > > On Fri, Sep 19, 2014 at 3:52 PM, Nick Coghlan wrote: > >> On 20 September 2014 08:34, Alex Gaynor wrote: >> > Pushed a new version which I believe adresses all of these. I added an >> > example of opting-out with urllib.urlopen, let me know if there's any >> other >> > APIs you think I should show an example with. >> >> It would be worth explicitly stating the process global monkeypatching >> hack: >> >> import ssl >> ssl._create_default_https_context = ssl._create_unverified_context >> >> Adding that hack to sitecustomize allows corporate sysadmins that can >> update their standard operating environment more easily than they can >> fix invalid certificate infrastructure to work around the problem on >> behalf of their users. It also helps out users that will be able to >> deal with such broken infrastructure without updating each and every >> one of their scripts. >> >> It's deliberately ugly because it's a genuinely bad idea that folks >> should want to avoid using, but as a matter of practical reality, >> corporate IT departments are chronically understaffed, and often fully >> committed to fighting the crisis du jour, without sufficient time >> being available for regular infrastructure maintenance tasks. >> >> Regards, >> Nick. >> >> -- >> Nick Coghlan | [email protected] | Brisbane, Australia >> > > > > -- > --Guido van Rossum (python.org/~guido) > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084 ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP476: Enabling certificate validation by default
Nice. I just realized the release candidate for 3.4.2 is really close (RC1 Monday, final Oct 6, see PEP 429). What's your schedule for 3.4? I see no date for 2.7.9 yet (but that could just be that PEP 373 hasn't been updated). What about the Apple and Microsoft issues Christian pointed out? Regarding the approval process, I want to get this into 2.7 and 3.4, but I want it done right, and I'm not convinced that the implementation is sufficiently worked out. I don't want you to feel rushed, and I don't want you to feel that you can't start coding until the PEP is approved, but I also feel that I want to see more working code and some beta testing before it goes live. Perhaps I should just approve the PEP but separately get to approve the code? (Others will have to review it for correctness -- but I want to understand and review the API.) On Sat, Sep 20, 2014 at 8:54 AM, Alex Gaynor wrote: > Done and done. > > Alex > > On Fri, Sep 19, 2014 at 4:13 PM, Guido van Rossum > wrote: > >> +1 on Nick's suggestion. (Might also mention that this is the reason why >> both functions should exist and have compatible signatures.) >> >> Also please, please, please add explicit mention of Python 2.7, 3.4 and >> 3.5 in the Abstract (for example in the 3rd paragraph of the abstract). >> >> On Fri, Sep 19, 2014 at 3:52 PM, Nick Coghlan wrote: >> >>> On 20 September 2014 08:34, Alex Gaynor wrote: >>> > Pushed a new version which I believe adresses all of these. I added an >>> > example of opting-out with urllib.urlopen, let me know if there's any >>> other >>> > APIs you think I should show an example with. >>> >>> It would be worth explicitly stating the process global monkeypatching >>> hack: >>> >>> import ssl >>> ssl._create_default_https_context = ssl._create_unverified_context >>> >>> Adding that hack to sitecustomize allows corporate sysadmins that can >>> update their standard operating environment more easily than they can >>> fix invalid certificate infrastructure to work around the problem on >>> behalf of their users. It also helps out users that will be able to >>> deal with such broken infrastructure without updating each and every >>> one of their scripts. >>> >>> It's deliberately ugly because it's a genuinely bad idea that folks >>> should want to avoid using, but as a matter of practical reality, >>> corporate IT departments are chronically understaffed, and often fully >>> committed to fighting the crisis du jour, without sufficient time >>> being available for regular infrastructure maintenance tasks. >>> >>> Regards, >>> Nick. >>> >>> -- >>> Nick Coghlan | [email protected] | Brisbane, Australia >>> >> >> >> >> -- >> --Guido van Rossum (python.org/~guido) >> > > > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: 125F 5C67 DFE9 4084 > -- --Guido van Rossum (python.org/~guido) ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP476: Enabling certificate validation by default
That sounds reasonable to me -- at this point I don't expect this to make it into 3.4.2; Nick has some working code on the ticket: http://bugs.python.org/issue22417 it's mostly missing documentation. Alex On Sat, Sep 20, 2014 at 9:46 AM, Guido van Rossum wrote: > Nice. I just realized the release candidate for 3.4.2 is really close (RC1 > Monday, final Oct 6, see PEP 429). What's your schedule for 3.4? I see no > date for 2.7.9 yet (but that could just be that PEP 373 hasn't been > updated). What about the Apple and Microsoft issues Christian pointed out? > > Regarding the approval process, I want to get this into 2.7 and 3.4, but I > want it done right, and I'm not convinced that the implementation is > sufficiently worked out. I don't want you to feel rushed, and I don't want > you to feel that you can't start coding until the PEP is approved, but I > also feel that I want to see more working code and some beta testing before > it goes live. Perhaps I should just approve the PEP but separately get to > approve the code? (Others will have to review it for correctness -- but I > want to understand and review the API.) > > On Sat, Sep 20, 2014 at 8:54 AM, Alex Gaynor > wrote: > >> Done and done. >> >> Alex >> >> On Fri, Sep 19, 2014 at 4:13 PM, Guido van Rossum >> wrote: >> >>> +1 on Nick's suggestion. (Might also mention that this is the reason why >>> both functions should exist and have compatible signatures.) >>> >>> Also please, please, please add explicit mention of Python 2.7, 3.4 and >>> 3.5 in the Abstract (for example in the 3rd paragraph of the abstract). >>> >>> On Fri, Sep 19, 2014 at 3:52 PM, Nick Coghlan >>> wrote: >>> On 20 September 2014 08:34, Alex Gaynor wrote: > Pushed a new version which I believe adresses all of these. I added an > example of opting-out with urllib.urlopen, let me know if there's any other > APIs you think I should show an example with. It would be worth explicitly stating the process global monkeypatching hack: import ssl ssl._create_default_https_context = ssl._create_unverified_context Adding that hack to sitecustomize allows corporate sysadmins that can update their standard operating environment more easily than they can fix invalid certificate infrastructure to work around the problem on behalf of their users. It also helps out users that will be able to deal with such broken infrastructure without updating each and every one of their scripts. It's deliberately ugly because it's a genuinely bad idea that folks should want to avoid using, but as a matter of practical reality, corporate IT departments are chronically understaffed, and often fully committed to fighting the crisis du jour, without sufficient time being available for regular infrastructure maintenance tasks. Regards, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia >>> >>> >>> >>> -- >>> --Guido van Rossum (python.org/~guido) >>> >> >> >> >> -- >> "I disapprove of what you say, but I will defend to the death your right >> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) >> "The people's good is the highest law." -- Cicero >> GPG Key fingerprint: 125F 5C67 DFE9 4084 >> > > > > -- > --Guido van Rossum (python.org/~guido) > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084 ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP476: Enabling certificate validation by default
On 21 September 2014 03:05, Alex Gaynor wrote: > That sounds reasonable to me -- at this point I don't expect this to make it > into 3.4.2; Nick has some working code on the ticket: > http://bugs.python.org/issue22417 it's mostly missing documentation. I also think it's more sensible to target 2.7.9 & 3.4.3 for this change, especially given the remaining rough edges in custom trust database configuration on WIndows and Mac OS X that Christian pointed out in http://bugs.python.org/issue22449 I don't believe Benjamin has picked a specific date for 2.7.9 yet, but the regular maintenance release cadence (ignoring security releases) would put it some time in November, which should be sufficient time to get the remaining issues ironed out for 3.5 under the normal development process, and then included under the banner of PEP 476 for backporting to the maintenance branches. Regards, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] web-sig mailing list moderating every post?
Ugh - this was in my mailbox shortly after the moderator action email from mailman: "No, this looks like the spam filter. Don't know what triggered it. Or why it went to you. But the list moderation is turned off (except for non-members posting to the list), and you yourself are not moderated, so... Bill" - nothing to see here, move right along, and sorry for the noise. -Rob On 21 September 2014 10:19, Robert Collins wrote: > I'm not sure of the right place to bring this up - I tried to on the > web-sig list itself, but the moderator rejected the post. > > What I tried to post there was > > """Looks like *every* post to web-sig gets manually moderated. That seems > like it will make discussion rather hard: can we get that changed (or > is there some historical need for it - if so, perhaps we should use > python-dev or some other list) ?""" > > -Rob > > -- > Robert Collins > Distinguished Technologist > HP Converged Cloud -- Robert Collins Distinguished Technologist HP Converged Cloud ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP476: Enabling certificate validation by default
Sounds good. Maybe we should put the specifically targeted releases in PEP 476? Nick, do Christian's issues need to be mentioned in the PEP or should we just keep those in the corresponding tracker items? On Sat, Sep 20, 2014 at 3:05 PM, Nick Coghlan wrote: > On 21 September 2014 03:05, Alex Gaynor wrote: > > That sounds reasonable to me -- at this point I don't expect this to > make it > > into 3.4.2; Nick has some working code on the ticket: > > http://bugs.python.org/issue22417 it's mostly missing documentation. > > I also think it's more sensible to target 2.7.9 & 3.4.3 for this > change, especially given the remaining rough edges in custom trust > database configuration on WIndows and Mac OS X that Christian pointed > out in http://bugs.python.org/issue22449 > > I don't believe Benjamin has picked a specific date for 2.7.9 yet, but > the regular maintenance release cadence (ignoring security releases) > would put it some time in November, which should be sufficient time to > get the remaining issues ironed out for 3.5 under the normal > development process, and then included under the banner of PEP 476 for > backporting to the maintenance branches. > > Regards, > Nick. > > -- > Nick Coghlan | [email protected] | Brisbane, Australia > -- --Guido van Rossum (python.org/~guido) ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
[Python-Dev] web-sig mailing list moderating every post?
I'm not sure of the right place to bring this up - I tried to on the web-sig list itself, but the moderator rejected the post. What I tried to post there was """Looks like *every* post to web-sig gets manually moderated. That seems like it will make discussion rather hard: can we get that changed (or is there some historical need for it - if so, perhaps we should use python-dev or some other list) ?""" -Rob -- Robert Collins Distinguished Technologist HP Converged Cloud ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP476: Enabling certificate validation by default
On 21 September 2014 08:22, Guido van Rossum wrote: > Sounds good. Maybe we should put the specifically targeted releases in PEP > 476? > > Nick, do Christian's issues need to be mentioned in the PEP or should we > just keep those in the corresponding tracker items? They should be mentioned in the PEP, as they will impact the way the proposed change interacts with the platform trust database - I didn't realise the differences on Windows and Mac OS X myself until Christian mentioned them. To be completely independent of the system trust database in a reliable, cross-platform way, folks will need to use a custom SSL context that doesn't enable the system trust store, rather than relying on the OpenSSL config options - the latter will reliably *add* certificates, but they won't reliably ignore the default ones provided by the system. We may also need some clarification from Ned regarding the status of OpenSSL and the potential impact switching from dynamic linking to static linking of OpenSSL may have in terms of the "OPENSSL_X509_TEA_DISABLE" setting. Regards, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] PEP476: Enabling certificate validation by default
OK, I'll hold off a bit on approving the PEP, but my intention is to approve it. Go Alex go! On Sat, Sep 20, 2014 at 4:03 PM, Nick Coghlan wrote: > On 21 September 2014 08:22, Guido van Rossum wrote: > > Sounds good. Maybe we should put the specifically targeted releases in > PEP > > 476? > > > > Nick, do Christian's issues need to be mentioned in the PEP or should we > > just keep those in the corresponding tracker items? > > They should be mentioned in the PEP, as they will impact the way the > proposed change interacts with the platform trust database - I didn't > realise the differences on Windows and Mac OS X myself until Christian > mentioned them. > > To be completely independent of the system trust database in a > reliable, cross-platform way, folks will need to use a custom SSL > context that doesn't enable the system trust store, rather than > relying on the OpenSSL config options - the latter will reliably *add* > certificates, but they won't reliably ignore the default ones provided > by the system. > > We may also need some clarification from Ned regarding the status of > OpenSSL and the potential impact switching from dynamic linking to > static linking of OpenSSL may have in terms of the > "OPENSSL_X509_TEA_DISABLE" setting. > > Regards, > Nick. > > -- > Nick Coghlan | [email protected] | Brisbane, Australia > -- --Guido van Rossum (python.org/~guido) ___ Python-Dev mailing list [email protected] https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
