[RFC] Default to urllib http implementation.

[Toshio Kuratomi]

On 05/18/2009 05:25 PM, Jelmer Vernooij wrote:
> Would it make sense to switch to using the urllib http backend in bzr
> by default?
>
> I get a couple of test failures when changing the default to urllib, but other
> than that, would there be any particular reason not to use urllib
> default ?
>
Does the code bzr uses with urllib work with https proxies?  (not http, 
https).  I switched one of my projects over to pycurl because urllib did 
not do that out of the box.

Does bzr intend to handle authentication via SSL client certificates 
within bzrlib at some point in the future?  This would also be 
additional code for urllib that's mostly taken care of in pycurl.

Do people feel that man-in-the-middle attacks between the client and a 
remote repository is a problem that bzr wants to prevent?  If so, that 
is currently taken care of by pycurl and urllib would need additional 
code to handle it.

Note that the problem that jogged your memory on this is just an aspect 
of the third feature I listed.  For pycurl to handle the case where the 
server's certificate is invalid (self-signed, out-of-date, for a 
different host, etc), bzr could grow an --insecure option that turns off 
the host certificate check.  This should be easier to code than an 
option to turn on checking for urllib.

-Toshio