Re: [PATCH v2 0/1] Python: Upgrade from 2.7.3 to 2.7.9

[Peter Urbanec <openembedded-devel@urbanec.net>]

On 28/02/15 03:07, Burton, Ross wrote:
> IIRC the general argument is if that if you're assuming a self-signed
> certification is valid, you've lost so much security.  We're in the
> middle of a development cycle so this will only impact people using or
> moving to 1.8.

I'm completely in favour of this change from the security point of view. 
However, it is likely to trip up a few people, so the change in 
behaviour should be prominently highlighted in the release notes. I also 
think that it may be a good idea to keep 2.7.3 around so that it is 
possible to move to new oe-core and keep the old python around. I would 
not be surprised if there were other differences between 2.7.3 and 2.7.9 
that complicate life. My main rationale for keeping both 2.7.3 and 2.7.9 
would be that 2.7.9 can not be made backwards compatible when it comes 
to the SSL certificates. The only fix is at the source code level for 
every application that uses SSL based protocols or alternatively 
convincing the server operators to use certificates issued by well known 
CAs. For my use case scenario, that's not workable because the user of 
the device can download packages from third party feeds, including 
closed source plugins. Yes, 2.7.9 is doing the right thing, but in this 
case doing the right thing breaks too much stuff.

> I've just verified that python-imaging works for me (and works on the
> autobuilders), so if you can replicate the failure on demand that filing
> a bug would be useful.

Good to know that is is something that is specific to my setup. I'll 
look into it again when I have a little bit of time on my hands. Right 
now I've put python 2.7.3 in my local overlay and am using it to get 
work done.