Message137732
On Sat, Jun 4, 2011 at 5:33 PM, Éric Araujo <report@bugs.python.org> wrote:>
>> I think there should be a warning that the connection is
>> unauthenticated (i.e. not secure). Users tend to be upset if they see
>> 'https' and later find out that no certificates were verified.
>
> Thanks Stephan, that was on my mind but I forgot it. I’m -1 on using https if no validation is performed.
It will be more professional if you could also explain why. Thanks.
>> I believe that's a very personal judgement.
> Not really; it’s an explanation of our release rules, exposed by one of the older developers.
Release rules should be clear enough not to require explanation.
>> For me exposing core Python development accounts is a fundamental
>> flaw.
> What is a core Python development account?
'core' is not the best word here, so it needs an explanation. Any
account on PyPI that uploads packages used for in enterprise
deployment schemes imposes a danger. Potential target are identified
using 'popularity package/developer activity' rating to reduce the
risk. These are the primary targets for an attack, which I called
'core'. 'primary' would be a better name probably. |
|
Date |
User |
Action |
Args |
2011-06-06 08:04:15 | techtonik | set | recipients:
+ techtonik, loewis, fdrake, barry, tarek, jwilk, eric.araujo, Arfrever, skrah, alexis |
2011-06-06 07:54:26 | techtonik | link | issue12226 messages |
2011-06-06 07:54:25 | techtonik | create | |
|