Title: validate server certificate when uploading packages to PyPI
Type: security Stage: resolved
Components: Distutils, Distutils2 Versions: Python 3.1, Python 3.2, Python 2.7
Status: closed Resolution: duplicate
Dependencies: Superseder: use HTTPS by default for uploading packages to pypi
View: 12226
Assigned To: tarek Nosy List: alexis, eric.araujo, skrah, tarek, techtonik
Priority: normal Keywords:

Created on 2011-06-18 09:33 by techtonik, last changed 2011-06-19 11:58 by skrah. This issue is now closed.

Messages (7)
msg138578 - (view) Author: anatoly techtonik (techtonik) Date: 2011-06-18 09:33
Please add this as a child of master issue12357.

When default protocol to upload to PyPI is switched to HTTPS in issue12226, the next step is to validate the certificate. Certificate validation requires that we will either:

1. distribute root CACert certificate with Python (for some reason it is not included/trusted on Windows platform)
2. acquire certificate for PyPI servers from party trusted by default, so that system certificates can be used for validation
msg138599 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2011-06-18 20:54
I’m going to close this report as a duplicate.  The discussion about validation is already started on the other report, and I don’t want to commit first one patch with false security (use HTTPS), then a patch to validate: they should be one patch IMO.
msg138604 - (view) Author: anatoly techtonik (techtonik) Date: 2011-06-18 21:30
That's two separate tickets. I intentionally wasted my time opening several of them to avoid making issues overcomplicated, so that they are manageable for review and won't slip from the next release.

Ping me in GTalk if you want to discuss it.
msg138605 - (view) Author: anatoly techtonik (techtonik) Date: 2011-06-18 21:32
Mind you that HTTPS access without certificate validation is not a false security - even without certificate it provides a good protection from passive attacks.
msg138606 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2011-06-18 21:33
I don’t see why you think we need two tickets.  I will not commit the partial patch from the other bug, and I don’t think it’s overcomplicated to think about “use HTTPS with certificate checking”.

About GTalk/Jabber: I prefer to discuss openly on this bug tracker or mailing lists.
msg138611 - (view) Author: anatoly techtonik (techtonik) Date: 2011-06-18 21:53
If tickets are small and easy, they can be committed faster. I wouldn't open another one if this small patch was committed in time. As I already explained, adding certificate check to HTTPS is a further security enhancement, and here is the report for it to not forget and discuss further security issues. It is not 'incomplete'.
msg138628 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2011-06-19 11:58
I agree with Éric: This is a duplicate.
Date User Action Args
2011-06-19 11:58:43skrahsetstatus: open -> closed

nosy: + skrah
messages: + msg138628

resolution: duplicate
2011-06-18 21:53:01techtoniksetmessages: + msg138611
2011-06-18 21:33:27eric.araujosetmessages: + msg138606
2011-06-18 21:32:56techtoniksetmessages: + msg138605
2011-06-18 21:30:50techtoniksetstatus: closed -> open
resolution: duplicate -> (no value)
messages: + msg138604
2011-06-18 20:54:59eric.araujounlinkissue12357 dependencies
2011-06-18 20:54:25eric.araujosetstatus: open -> closed
resolution: duplicate
messages: + msg138599

superseder: use HTTPS by default for uploading packages to pypi
stage: resolved
2011-06-18 20:52:38eric.araujolinkissue12357 dependencies
2011-06-18 09:34:19techtoniksetassignee: tarek

nosy: + eric.araujo, alexis, tarek
components: + Distutils, Distutils2
versions: + Python 3.1, Python 2.7, Python 3.2
2011-06-18 09:33:59techtonikcreate