This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author techtonik
Recipients alexis, eric.araujo, tarek, techtonik
Date 2011-05-31.16:51:04
SpamBayes Score 0.00010803302
Marked as misclassified No
Message-id <1306860665.45.0.32361907398.issue12226@psf.upfronthosting.co.za>
In-reply-to
Content
Before the next version is released, I'd like to push this one line modification to reduce the risk of sniffing Python development password when people upload packages to PyPI by using https:// communication channel by default.

Distutils doesn't validate PyPI server certificate, so this change doesn't prevent from MITM attacks, but at least it makes package submissions over wireless channels and public networks safer.

Taking into account that people still release packages for Python 2.5+ (AppEngine), I'd like to see this fix backported to at least Python 2.6
History
Date User Action Args
2011-05-31 16:51:05techtoniksetrecipients: + techtonik, tarek, eric.araujo, alexis
2011-05-31 16:51:05techtoniksetmessageid: <1306860665.45.0.32361907398.issue12226@psf.upfronthosting.co.za>
2011-05-31 16:51:04techtoniklinkissue12226 messages
2011-05-31 16:51:04techtonikcreate