-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 William McVey wrote: > Sorry if this is the wrong group (if it is, please redirect me to the > proper list), but I'd like suggest that PyPI be available via SSL > protection. Obviously, I'd be willing to help with this effort as > well. It occurred to me as I was at PyCon 'pip install'ing away that > there was a real possibility of man-in-the-middle manipulations of > both the content of the packages downloaded as well as the actual > resolution of where packages were located (especially over an open > public wifi network). I certainly understand that turning off the > cleartext PyPI interface is not something that could be considered for > a very-long time, but it'd be nice if those individuals who were > concerned about the potential for attack had an option to pull PyPI > info over a protected channel. And even if people weren't concerned, > if it were perhaps the default option in their environment, their > security posture could be improved. > >>From a technology standpoint, it should be straightforward to get an > SSL certificate for pypi.python.org, and then configure the web server > to provide the exact same content as the exising > http://pypi.python.org site. From the client side, I'd suggest an > extension/patch to pip (and easy_install) to use the SSL protected > version of PyPI when available. Obviously doing certificate validity > on the client side would require either python 2.6 or third party > packages, but even a warning announcing that the updates/installs were > happening over cleartext network would make people aware.
Sounds like a good plan to me: no software development required on the server side, only some very well-understood sysadmin. Clients can catch up once the https:// URLs work. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 [email protected] Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkuEMRIACgkQ+gerLs4ltQ4GnQCbB+ZKbKBFOniB82s2LyNkg2Ad 1XIAoNwAWFfpOzosa7XdvacDuMzGlJ98 =u3hg -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
