Message 137745 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	eric.araujo
Recipients	Arfrever, alexis, barry, eric.araujo, fdrake, jwilk, loewis, skrah, tarek, techtonik
Date	2011-06-06.15:50:56
SpamBayes Score	5.7111192e-05
Marked as misclassified	No
Message-id	<1307375457.31.0.560375797852.issue12226@psf.upfronthosting.co.za>
In-reply-to

Content
>> Thanks Stephan, that was on my mind but I forgot it. I’m -1 on >> using https if no validation is performed. > It will be more professional if you could also explain why. If you make an HTTPS connection without checking the certificate, what security does it add? > > Not really; it’s an explanation of our release rules, exposed by >> one of the older developers. > Release rules should be clear enough not to require explanation. Explanations make them clear. > Any account on PyPI that uploads packages used for in enterprise > deployment schemes imposes a danger. Sidenote: I don’t want to give less security to non-enterprise users. Anyway, I understand your point now: insecure upload and download are vulnerable to MITM attacks, and encouraging HTTPS use (through default value + docs) would help against that. I am supportive of a patch, but it doesn’t mean the release process should not be followed. See also #11357 and #8561 about download security.

>> Thanks Stephan, that was on my mind but I forgot it.  I’m -1 on
>> using https if no validation is performed.
> It will be more professional if you could also explain why.

If you make an HTTPS connection without checking the certificate, what security does it add?

> > Not really; it’s an explanation of our release rules, exposed by
>> one of the older developers.
> Release rules should be clear enough not to require explanation.

Explanations make them clear.

> Any account on PyPI that uploads packages used for in enterprise
> deployment schemes imposes a danger.

Sidenote: I don’t want to give less security to non-enterprise users.

Anyway, I understand your point now: insecure upload and download are vulnerable to MITM attacks, and encouraging HTTPS use (through default value + docs) would help against that.  I am supportive of a patch, but it doesn’t mean the release process should not be followed.  See also #11357 and #8561 about download security.

History
Date	User	Action	Args
2011-06-06 15:50:57	eric.araujo	set	recipients: + eric.araujo, loewis, fdrake, barry, techtonik, tarek, jwilk, Arfrever, skrah, alexis
2011-06-06 15:50:57	eric.araujo	set	messageid: <1307375457.31.0.560375797852.issue12226@psf.upfronthosting.co.za>
2011-06-06 15:50:56	eric.araujo	link	issue12226 messages
2011-06-06 15:50:56	eric.araujo	create