Author techtonik
Recipients Arfrever, alexis, barry, eric.araujo, fdrake, jwilk, loewis, skrah, tarek, techtonik
Date 2011-06-06.07:54:25
SpamBayes Score 1.83396e-05
Marked as misclassified No
Message-id <BANLkTin7jnHg=qAfbZMynmGyTc51tFti=w@mail.gmail.com>
In-reply-to <1307198026.95.0.503396895817.issue12226@psf.upfronthosting.co.za>
Content
On Sat, Jun 4, 2011 at 5:33 PM, Éric Araujo <report@bugs.python.org> wrote:>
>> I think there should be a warning that the connection is
>> unauthenticated (i.e. not secure). Users tend to be upset if they see
>> 'https' and later find out that no certificates were verified.
>
> Thanks Stephan, that was on my mind but I forgot it.  I’m -1 on using https if no validation is performed.

It will be more professional if you could also explain why. Thanks.

>> I believe that's a very personal judgement.
> Not really; it’s an explanation of our release rules, exposed by one of the older developers.

Release rules should be clear enough not to require explanation.

>> For me exposing core Python development accounts is a fundamental
>> flaw.

> What is a core Python development account?

'core' is not the best word here, so it needs an explanation. Any
account on PyPI that uploads packages used for in enterprise
deployment schemes imposes a danger. Potential target are identified
using 'popularity package/developer activity' rating to reduce the
risk. These are the primary targets for an attack, which I called
'core'. 'primary' would be a better name probably.
History
Date User Action Args
2011-06-06 08:04:15techtoniksetrecipients: + techtonik, loewis, fdrake, barry, tarek, jwilk, eric.araujo, Arfrever, skrah, alexis
2011-06-06 07:54:26techtoniklinkissue12226 messages
2011-06-06 07:54:25techtonikcreate