https://bugzilla.novell.com/show_bug.cgi?id=761501
https://bugzilla.novell.com/show_bug.cgi?id=761501#c18
--- Comment #18 from James Oakley
There's nothing the application author needs to know. The situation doesn't get worse. Right now if one doesn't pass a path for a CA bundle two things might happen depending on how modules interact with openssl: a) no ssl checks at all, connection succeeds but is in fact insecure b) ssl connections always fail due to lack of trust anchors
Please consider the following: 1. In the requests module, the subject of this bug report, the code specifies a ca path. It checks for various distribution-specific locations, and failing that, loads the certifi bundle. Your proposed change doesn't affect that in the slightest 2. If the certificate store is loaded automatically, but only in openSUSE (remember that upstream rejected this), and there is no feedback to indicate whether the store actually loaded or not, how can a module author be sure whether the certificates are verified or not? Should they be checking to see whether they are running on openSUSE 12.2 or above? What if someone compiled their own Python for a virtualenv? This kind of thing is precisely the reason why "explicit is better than implicit" 3. If certificates were verified by default, what if I were calling something on a server with a self-signed certificate? What if I wanted to communicate with a private OBS instance? It would raise exceptions and I would be stuck and unable to use it 4. We can work around the other issues by adding new parameters, but how would module authors know about them or test that they are actually available? Since upstream rejected it, we would have an incompatible fork. If someone was confounded by the behaviour they would check the documentation on python.org and find that it doesn't match the actual behaviour of the module. This is bad, and would most likely cause a bug report to be sent to the Python tracker -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.