Il giorno 10/feb/2013, alle ore 00:43, M.-A. Lemburg <[email protected]> ha scritto:
> On 10.02.2013 00:13, Stephen Thorne wrote: >> Hello, >> >> One of my concerns with the recent pip dramas that have seen some excellent >> and timely action from catalog-sig and others, is that 'setuptools' is >> still widely distributed and used instead of distribute/pip. > > Just as data point: distribute isn't using HTTPS either and the > distribute bootstrap site doesn't work with HTTPS: > > http://python-distribute.org/ > > (https://python-distribute.org/ gives > "Error code: ssl_error_rx_record_too_long" in Firefox) > > By redirecting the PyPI main and mirror sites from HTTP to HTTPS > you can "upgrade" older installations. Alas, this redirection wouldn't fix the main issue, because a MITM can still proxy the connection, swallow the redirection, and insert a malware in the downloaded package. The only way to really fix it is to patch all PyPI clients, including distribute. > An alternative approach would be to make people more aware of > the possibility to configure the PyPI site URL in a distutils > config file (even globally) and changing the URL from HTTP > to HTTPS there: > > * distutils config files: > > http://docs.python.org/2/install/index.html#inst-config-files > > * setuptools: > > http://peak.telecommunity.com/DevCenter/EasyInstall#configuration-files > http://peak.telecommunity.com/DevCenter/EasyInstall#command-line-options > (the option is called --index-url) > > * distribute: > > http://pythonhosted.org/distribute/easy_install.html#configuration-files > http://pythonhosted.org/distribute/easy_install.html#reference-manual > (the option is called --index-url) The problem with this approach is that Python standard library does not validate SSL certificates. So even if you force a urllib-based tool to access PyPI through https, it doesn't help at all in case of a MITM attack. -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
