Message137366
Before the next version is released, I'd like to push this one line modification to reduce the risk of sniffing Python development password when people upload packages to PyPI by using https:// communication channel by default.
Distutils doesn't validate PyPI server certificate, so this change doesn't prevent from MITM attacks, but at least it makes package submissions over wireless channels and public networks safer.
Taking into account that people still release packages for Python 2.5+ (AppEngine), I'd like to see this fix backported to at least Python 2.6 |
|
Date |
User |
Action |
Args |
2011-05-31 16:51:05 | techtonik | set | recipients:
+ techtonik, tarek, eric.araujo, alexis |
2011-05-31 16:51:05 | techtonik | set | messageid: <1306860665.45.0.32361907398.issue12226@psf.upfronthosting.co.za> |
2011-05-31 16:51:04 | techtonik | link | issue12226 messages |
2011-05-31 16:51:04 | techtonik | create | |
|