Message 137732 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	techtonik
Recipients	Arfrever, alexis, barry, eric.araujo, fdrake, jwilk, loewis, skrah, tarek, techtonik
Date	2011-06-06.07:54:25
SpamBayes Score	1.8339635e-05
Marked as misclassified	No
Message-id	<BANLkTin7jnHg=qAfbZMynmGyTc51tFti=w@mail.gmail.com>
In-reply-to	<1307198026.95.0.503396895817.issue12226@psf.upfronthosting.co.za>

Content
On Sat, Jun 4, 2011 at 5:33 PM, Éric Araujo <report@bugs.python.org> wrote:> >> I think there should be a warning that the connection is >> unauthenticated (i.e. not secure). Users tend to be upset if they see >> 'https' and later find out that no certificates were verified. > > Thanks Stephan, that was on my mind but I forgot it. I’m -1 on using https if no validation is performed. It will be more professional if you could also explain why. Thanks. >> I believe that's a very personal judgement. > Not really; it’s an explanation of our release rules, exposed by one of the older developers. Release rules should be clear enough not to require explanation. >> For me exposing core Python development accounts is a fundamental >> flaw. > What is a core Python development account? 'core' is not the best word here, so it needs an explanation. Any account on PyPI that uploads packages used for in enterprise deployment schemes imposes a danger. Potential target are identified using 'popularity package/developer activity' rating to reduce the risk. These are the primary targets for an attack, which I called 'core'. 'primary' would be a better name probably.

On Sat, Jun 4, 2011 at 5:33 PM, Éric Araujo <report@bugs.python.org> wrote:>
>> I think there should be a warning that the connection is
>> unauthenticated (i.e. not secure). Users tend to be upset if they see
>> 'https' and later find out that no certificates were verified.
>
> Thanks Stephan, that was on my mind but I forgot it.  I’m -1 on using https if no validation is performed.

It will be more professional if you could also explain why. Thanks.

>> I believe that's a very personal judgement.
> Not really; it’s an explanation of our release rules, exposed by one of the older developers.

Release rules should be clear enough not to require explanation.

>> For me exposing core Python development accounts is a fundamental
>> flaw.

> What is a core Python development account?

'core' is not the best word here, so it needs an explanation. Any
account on PyPI that uploads packages used for in enterprise
deployment schemes imposes a danger. Potential target are identified
using 'popularity package/developer activity' rating to reduce the
risk. These are the primary targets for an attack, which I called
'core'. 'primary' would be a better name probably.

History
Date	User	Action	Args
2011-06-06 08:04:15	techtonik	set	recipients: + techtonik, loewis, fdrake, barry, tarek, jwilk, eric.araujo, Arfrever, skrah, alexis
2011-06-06 07:54:26	techtonik	link	issue12226 messages
2011-06-06 07:54:25	techtonik	create