Draft PEP: Enabling certificate verification by default for stdlib mail modules #3602
Conversation
hugovk
changed the title
|
Before we proceed any further, do you have a sponsor for this PEP? It's an important first step. Please re-read PEP 1, specifically: https://peps.python.org/pep-0001/#submitting-a-pep I've renamed the PR to make it clear that 738 has not been assigned yet, we need a sponsor first. Edit: 738 (and 739) has already been assigned but not yet merged. |
|
There's also no Discussions-To: header. Where was this proposal discussed prior to writing the PEP? |
There was a problem hiding this comment.
In general I think you're making a decent point. It would just be nice if you followed the process and discussed this with the developer community before submitting a PEP. Maybe a PEP wouldn't even be necessary? The only issue is one of backwards compatibility.
Anyway, here are a few nits/questions about the PEP as it stands -- but probably you should just start a discussion on discuss.python.org first.
| This PEP proposes to enable verification of X509 certificates for Python's | ||
| mail clients by default, subject to opt-out on a per-call basis. This change | ||
| would be applied to all maintained Python versions. |
There was a problem hiding this comment.
This sounds like the abstract! And what you wrote in the abstract sounds like the motivation. :-)
| action should require and explicit confirmation. Not verifying a server certificate | ||
| and accepting it violates PEP 20's principle "errors should never pass silently." | ||
|
|
||
| It can also be expected that Python standard libraries behave in a consitent way. |
| .. [#] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39441 | ||
| .. [#] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38686 | ||
| .. [#] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39441 | ||
| .. [#] https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verification/ |
|
The proposal wasn't discussed and I do not have a sponsor, yet, at least not for the text as it is. I thought Christmas is coming, maybe I can make a wish. :-) I wrote a PEP, because there was already PEP 476 to change the certificate verification for HTTP libs and it was a recommendation to write a PEP over in a Cpython discussion. As far as I understand, writing a PEP seems to be a very specific thing, while for me it feels like the most complicated way of filing a security ticket I have ever experienced. Nevertheless, I can start a discussion at discuss.python.org, maybe in the Ideas section. |
|
While you can propose a PEP, there is still a certain procedure to be followed and some pre-requisites. |
|
Yeah, to file a security ticket you typically email [email protected], but given that there’s already public discussion of the problem, you would generally just be advised to open a regular ticket. The need to write a PEP would come up in the discussion on that issue — or not. I don’t immediately see why this particular issue requires a PEP. So either discuss.python.org or GitHub. |
|
Whoa. I got the chronology all wrong. In the CPython issue you referenced (which you should have mentioned in the PEP and in the initial comment) it's clear that @vstinner wants to sponsor your PEP, but he prefers it if you contact him, asking him to be a sponsor, so he can guide you through the PEP authoring and submission process. You already submitted an earlier draft PEP, which was closed for this same reason. I am honestly not sure why you didn't just contact him (possibly via the CPython issue) instead of once again breaking protocol and submitting a PEP without context. I'll leave it to @vstinner to deal with the rest of the process now, I am done trying to mentor you, sorry. |
Ah right. So this PR is a duplicate of your #3537 from last month. What happened:
It seems that hasn't happened, and we're back to needing a sponsor, if we want to take the PEP path. I think a discussion at discuss.python.org is the way forward, and hopefully you can find a sponsor there. Let's close this PR as a duplicate, and if you find a sponsor, then you can open a new PR once they're on board. |
|
Let's open this for a bit longer. @nitram2342 Please will you contact @vstinner and see if he's happy to sponsor? You can find his email on his profile. Let us know if you've any questions. Thanks! |
|
Yes, this pull request is the second attempt for a PEP. What I did not understand at the time of the first attempt is that there is a sponsor for a specific form of a PEP and not the general idea. I did it wrong and added @vstinner as sponsor without asking him and going into discussion. So, after the first pull request, I contacted @vstinner, because he offered to be a sponsor, but he had no time to review the PEP draft. If people don't have time, that's the way it is. I didn't want to interrupt any further. I started this pull request without a sponsor. I assumed there would be a sponsor if someone considers this important enough. Meanwhile I opened a discussion over on discuss.python.org. We will see where the discussion leads. |
|
Thank you! For reference, here's a link to the discussion: https://discuss.python.org/t/42313 |
Basic requirements (all PEP Types)
pep-NNNN.rst), PR title (PEP 123: <Title of PEP>) andPEPheaderAuthororSponsor, and formally confirmed their approvalAuthor,Status(Draft),TypeandCreatedheaders filled out correctlyPEP-Delegate,Topic,RequiresandReplacesheaders completed if appropriate.github/CODEOWNERSfor the PEPStandards Track requirements
Python-Versionset to valid (pre-beta) future Python version, if relevantDiscussions-ToandPost-History📚 Documentation preview 📚: https://pep-previews--3602.org.readthedocs.build/