On Feb 28, 2011, at 10:37 AM, bk wrote: >> I think we should be happy with the inclusion of such options in 3.2.... > >No, I'm not going to be happy about an after-thought fix. At least >httplib.py should never have been put in the tree without an option to tell >ssl.py to verify the server cert. FFS they have client cert support, would >it REALLY be that hard to pass the verification parameter to ssl.py? No, >it's just sheer ignorance of security. Maybe I missed it, but do you have a specific patch you want us to review? As for back porting to stable release versions, that will have to be determined by the release managers for each version, and that can only be done once there are actual patches we can look at. All versions of Python prior to 3.3 are now in stable release mode, so (speaking as the Python 2.6 RM) patches that add new features or change API just can't be accepted. I'm skeptical, but if there are backward compatible changes that can be added as a bug fix to Python 3.2 or 2.7, those might be considered. The best way to handle the situation in that case is: * Develop a patch for Python 3.3 which includes unit tests and documentation, get it reviewed, and lobby the Python community for inclusion in 3.3. * Back port the changes to a standalone library for earlier versions of Python and release these on the Cheeseshop. * Evangelize these separate packages for users who want the full security of authenticated encrypted channels. Please understand that these policies have been in place for many years and we adhere to them after many hard lessons learned. -Barry
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/