Sorry if this is the wrong group (if it is, please redirect me to the proper list), but I'd like suggest that PyPI be available via SSL protection. Obviously, I'd be willing to help with this effort as well. It occurred to me as I was at PyCon 'pip install'ing away that there was a real possibility of man-in-the-middle manipulations of both the content of the packages downloaded as well as the actual resolution of where packages were located (especially over an open public wifi network). I certainly understand that turning off the cleartext PyPI interface is not something that could be considered for a very-long time, but it'd be nice if those individuals who were concerned about the potential for attack had an option to pull PyPI info over a protected channel. And even if people weren't concerned, if it were perhaps the default option in their environment, their security posture could be improved.
>From a technology standpoint, it should be straightforward to get an SSL certificate for pypi.python.org, and then configure the web server to provide the exact same content as the exising http://pypi.python.org site. From the client side, I'd suggest an extension/patch to pip (and easy_install) to use the SSL protected version of PyPI when available. Obviously doing certificate validity on the client side would require either python 2.6 or third party packages, but even a warning announcing that the updates/installs were happening over cleartext network would make people aware. -- William _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
