These are chat archives for cherrypy/cherrypy

3rd
Jul 2018
Tyrfing Mjølner
@TyrfingMjolnir
Jul 03 2018 11:08
@jaraco Re April 3 20:23 from cherrypy._cpwsgi import wsgiApp note this is works with python 2.6.5, however not with 2.7
Jason R. Coombs
@jaraco
Jul 03 2018 12:23
@webknjaz I’m not super keen on GPG; I’ve not used it myself, in part because I’ve soured on digital signatures (I signed my e-mails for a decade but no one cared and it only caused problems), but also because when I tried to work with GPG, I found it difficult to use, especially on Windows, and with negligible adoption.
One thing I’d like to avoid is an additional barrier to contribution. If commits in a PR must also be signed, that’s problemmatic.
Honestly, I’d be interested to know what is the benefit? I understand the theoretical benefit, but who in practice will validate the signed commits? Until there’s sufficient demand on CherryPy, I’m not sure it’s worth it… unless you think signed commits has another benefit.
@ArijeetC I see your demo… and I believe the meat of your changes are at https://github.com/ArijeetC/cherrypy/tree/7713b45
Jason R. Coombs
@jaraco
Jul 03 2018 12:30
@ArijeetC Thanks for the demo - that’s interesting. I do worry that the client implementation feels a bit primitive - in the sense that it’s using pretty raw crypto functions… The name hazmat suggests to me that we wouldn’t expect most users to be using these functions directly.
I thought I saw mention of an RFC. Are there other clients or user-agents (browsers) that implement this RFC?
Sviatoslav Sydorenko
@webknjaz
Jul 03 2018 13:23
@jaraco I was thinking we should sign merges (done automatically by GitHub if you use UI) and our own commits to master, which could be configured to be done automatically as well. I wasn't going to force contributors to do this.
Jason R. Coombs
@jaraco
Jul 03 2018 13:24
Then it seems possible.
I will have to get set up with gpg.
Yet another thing to manage.
Sviatoslav Sydorenko
@webknjaz
Jul 03 2018 13:26
I do that with ansible now :)
Sviatoslav Sydorenko
@webknjaz
Jul 03 2018 13:32

I thought I saw mention of an RFC.

It was me mentioning TLS client auth probably, which is a way for server to authenticate a client (as opposed to client verifying connection to server by checking the certificate chain).

https://blog.cloudflare.com/introducing-tls-client-auth/

I don't think it's very widely adopted, but I saw some demand of supporting this. But is can be done by feeding appropriate SSL Context to adapter, I think. I'm trying to collect/track TLS-related stuff @ cherrypy/cheroot#95 now.

https://en.wikipedia.org/wiki/Client_certificate (it's basically replacing any need for client to send password-based auth data)