[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110228152139.0b772896@limelight.wooz.org>
Date: Mon, 28 Feb 2011 15:21:39 -0500
From: Barry Warsaw <barry@...hon.org>
To: bk <chort0@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, security@...hon.org
Subject: Re: [PSRT] Python ssl handling could be better...
On Feb 28, 2011, at 10:37 AM, bk wrote:
>> I think we should be happy with the inclusion of such options in 3.2....
>
>No, I'm not going to be happy about an after-thought fix. At least
>httplib.py should never have been put in the tree without an option to tell
>ssl.py to verify the server cert. FFS they have client cert support, would
>it REALLY be that hard to pass the verification parameter to ssl.py? No,
>it's just sheer ignorance of security.
Maybe I missed it, but do you have a specific patch you want us to review?
As for back porting to stable release versions, that will have to be
determined by the release managers for each version, and that can only be done
once there are actual patches we can look at. All versions of Python prior to
3.3 are now in stable release mode, so (speaking as the Python 2.6 RM) patches
that add new features or change API just can't be accepted. I'm skeptical,
but if there are backward compatible changes that can be added as a bug fix to
Python 3.2 or 2.7, those might be considered.
The best way to handle the situation in that case is:
* Develop a patch for Python 3.3 which includes unit tests and documentation,
get it reviewed, and lobby the Python community for inclusion in 3.3.
* Back port the changes to a standalone library for earlier versions of Python
and release these on the Cheeseshop.
* Evangelize these separate packages for users who want the full security of
authenticated encrypted channels.
Please understand that these policies have been in place for many years and we
adhere to them after many hard lessons learned.
-Barry
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists