On Jun 5, 2014, at 11:47 AM, Daniele Tricoli <eriol@mornie.org> wrote: > Hello Donald, > > On Thursday 05 June 2014 10:24:48 Donald Stufft wrote: >> You need pyasn1, pyopenssl, and ndg-httpsclient in order for the >> requests/urllib3 stuff to kick in. > > Yes, of course: I was keeping an eye on all the needed packages. > >> It’d probably be a sane idea to use recommends, at least on Python 2.x since >> using that also prevents CRIME and the like which Python 2.x is vulnerable >> to else wise IIRC. > > Thanks for pointing this: for python-requests I will add to Recommends all of > the needed packages to ensure that SNI works as expected and to prevent CRIME. > > For python3-requests do you think it's needed to also add them to Reccomends? > Upstream issue 20994[¹] is still open, but Python3 support SNI, and ssl > compression can be disabled, as reported on the issue, using OP_NO_COMPRESSION > (on python3 >= 3.3, but we have 3.4). I think use Suggests is fine in this > case. > I will add a README.Debian to explain clearly all of it. > > Cheers, > > > [¹] http://bugs.python.org/issue20994 > > -- > Daniele Tricoli 'Eriol' > http://mornie.org Yea it shouldn’t matter on Python 3.x as the SSLContext stuff urllib3 will use to give good defaults there already. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail