Message137745
>> Thanks Stephan, that was on my mind but I forgot it. I’m -1 on
>> using https if no validation is performed.
> It will be more professional if you could also explain why.
If you make an HTTPS connection without checking the certificate, what security does it add?
> > Not really; it’s an explanation of our release rules, exposed by
>> one of the older developers.
> Release rules should be clear enough not to require explanation.
Explanations make them clear.
> Any account on PyPI that uploads packages used for in enterprise
> deployment schemes imposes a danger.
Sidenote: I don’t want to give less security to non-enterprise users.
Anyway, I understand your point now: insecure upload and download are vulnerable to MITM attacks, and encouraging HTTPS use (through default value + docs) would help against that. I am supportive of a patch, but it doesn’t mean the release process should not be followed. See also #11357 and #8561 about download security. |
|
Date |
User |
Action |
Args |
2011-06-06 15:50:57 | eric.araujo | set | recipients:
+ eric.araujo, loewis, fdrake, barry, techtonik, tarek, jwilk, Arfrever, skrah, alexis |
2011-06-06 15:50:57 | eric.araujo | set | messageid: <1307375457.31.0.560375797852.issue12226@psf.upfronthosting.co.za> |
2011-06-06 15:50:56 | eric.araujo | link | issue12226 messages |
2011-06-06 15:50:56 | eric.araujo | create | |
|