Author eric.araujo
Recipients Arfrever, alexis, barry, eric.araujo, fdrake, jwilk, loewis, skrah, tarek, techtonik
Date 2011-06-06.15:50:56
SpamBayes Score 5.71112e-05
Marked as misclassified No
Message-id <1307375457.31.0.560375797852.issue12226@psf.upfronthosting.co.za>
In-reply-to
Content
>> Thanks Stephan, that was on my mind but I forgot it.  I’m -1 on
>> using https if no validation is performed.
> It will be more professional if you could also explain why.

If you make an HTTPS connection without checking the certificate, what security does it add?

> > Not really; it’s an explanation of our release rules, exposed by
>> one of the older developers.
> Release rules should be clear enough not to require explanation.

Explanations make them clear.

> Any account on PyPI that uploads packages used for in enterprise
> deployment schemes imposes a danger.

Sidenote: I don’t want to give less security to non-enterprise users.

Anyway, I understand your point now: insecure upload and download are vulnerable to MITM attacks, and encouraging HTTPS use (through default value + docs) would help against that.  I am supportive of a patch, but it doesn’t mean the release process should not be followed.  See also #11357 and #8561 about download security.
History
Date User Action Args
2011-06-06 15:50:57eric.araujosetrecipients: + eric.araujo, loewis, fdrake, barry, techtonik, tarek, jwilk, Arfrever, skrah, alexis
2011-06-06 15:50:57eric.araujosetmessageid: <1307375457.31.0.560375797852.issue12226@psf.upfronthosting.co.za>
2011-06-06 15:50:56eric.araujolinkissue12226 messages
2011-06-06 15:50:56eric.araujocreate