-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft PEP: Enabling certificate verification by default for stdlib mail modules #3602
base: main
Are you sure you want to change the base?
Conversation
Before we proceed any further, do you have a sponsor for this PEP? It's an important first step. Please re-read PEP 1, specifically: https://peps.python.org/pep-0001/#submitting-a-pep I've renamed the PR to make it clear that 738 has not been assigned yet, we need a sponsor first. Edit: 738 (and 739) has already been assigned but not yet merged. |
There's also no Discussions-To: header. Where was this proposal discussed prior to writing the PEP? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general I think you're making a decent point. It would just be nice if you followed the process and discussed this with the developer community before submitting a PEP. Maybe a PEP wouldn't even be necessary? The only issue is one of backwards compatibility.
Anyway, here are a few nits/questions about the PEP as it stands -- but probably you should just start a discussion on discuss.python.org first.
This PEP proposes to enable verification of X509 certificates for Python's | ||
mail clients by default, subject to opt-out on a per-call basis. This change | ||
would be applied to all maintained Python versions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds like the abstract! And what you wrote in the abstract sounds like the motivation. :-)
action should require and explicit confirmation. Not verifying a server certificate | ||
and accepting it violates PEP 20's principle "errors should never pass silently." | ||
|
||
It can also be expected that Python standard libraries behave in a consitent way. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
consistent
.. [#] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39441 | ||
.. [#] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38686 | ||
.. [#] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39441 | ||
.. [#] https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verification/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which IIUC you wrote.
The proposal wasn't discussed and I do not have a sponsor, yet, at least not for the text as it is. I thought Christmas is coming, maybe I can make a wish. :-) I wrote a PEP, because there was already PEP 476 to change the certificate verification for HTTP libs and it was a recommendation to write a PEP over in a Cpython discussion. As far as I understand, writing a PEP seems to be a very specific thing, while for me it feels like the most complicated way of filing a security ticket I have ever experienced. Nevertheless, I can start a discussion at discuss.python.org, maybe in the Ideas section. |
While you can propose a PEP, there is still a certain procedure to be followed and some pre-requisites. |
Yeah, to file a security ticket you typically email security@python.org, but given that there’s already public discussion of the problem, you would generally just be advised to open a regular ticket. The need to write a PEP would come up in the discussion on that issue — or not. I don’t immediately see why this particular issue requires a PEP. So either discuss.python.org or GitHub. |
Whoa. I got the chronology all wrong. In the CPython issue you referenced (which you should have mentioned in the PEP and in the initial comment) it's clear that @vstinner wants to sponsor your PEP, but he prefers it if you contact him, asking him to be a sponsor, so he can guide you through the PEP authoring and submission process. You already submitted an earlier draft PEP, which was closed for this same reason. I am honestly not sure why you didn't just contact him (possibly via the CPython issue) instead of once again breaking protocol and submitting a PEP without context. I'll leave it to @vstinner to deal with the rest of the process now, I am done trying to mentor you, sorry. |
Ah right. So this PR is a duplicate of your #3537 from last month. What happened:
It seems that hasn't happened, and we're back to needing a sponsor, if we want to take the PEP path. I think a discussion at discuss.python.org is the way forward, and hopefully you can find a sponsor there. Let's close this PR as a duplicate, and if you find a sponsor, then you can open a new PR once they're on board. |
Let's open this for a bit longer. @nitram2342 Please will you contact @vstinner and see if he's happy to sponsor? You can find his email on his profile. Let us know if you've any questions. Thanks! |
Yes, this pull request is the second attempt for a PEP. What I did not understand at the time of the first attempt is that there is a sponsor for a specific form of a PEP and not the general idea. I did it wrong and added @vstinner as sponsor without asking him and going into discussion. So, after the first pull request, I contacted @vstinner, because he offered to be a sponsor, but he had no time to review the PEP draft. If people don't have time, that's the way it is. I didn't want to interrupt any further. I started this pull request without a sponsor. I assumed there would be a sponsor if someone considers this important enough. Meanwhile I opened a discussion over on discuss.python.org. We will see where the discussion leads. |
Thank you! For reference, here's a link to the discussion: https://discuss.python.org/t/42313 |
Basic requirements (all PEP Types)
pep-NNNN.rst
), PR title (PEP 123: <Title of PEP>
) andPEP
headerAuthor
orSponsor
, and formally confirmed their approvalAuthor
,Status
(Draft
),Type
andCreated
headers filled out correctlyPEP-Delegate
,Topic
,Requires
andReplaces
headers completed if appropriate.github/CODEOWNERS
for the PEPStandards Track requirements
Python-Version
set to valid (pre-beta) future Python version, if relevantDiscussions-To
andPost-History
📚 Documentation preview 📚: https://pep-previews--3602.org.readthedocs.build/