Giovanni Bajo wrote: > Il giorno 10/feb/2013, alle ore 00:43, M.-A. Lemburg <[email protected]> ha > scritto: > >> On 10.02.2013 00:13, Stephen Thorne wrote: >>> Hello, >>> >>> One of my concerns with the recent pip dramas that have seen some excellent >>> and timely action from catalog-sig and others, is that 'setuptools' is >>> still widely distributed and used instead of distribute/pip. >> >> Just as data point: distribute isn't using HTTPS either and the >> distribute bootstrap site doesn't work with HTTPS: >> >> http://python-distribute.org/ >> >> (https://python-distribute.org/ gives >> "Error code: ssl_error_rx_record_too_long" in Firefox) >> >> By redirecting the PyPI main and mirror sites from HTTP to HTTPS >> you can "upgrade" older installations. > > Alas, this redirection wouldn't fix the main issue, because a MITM can still > proxy the connection, swallow the redirection, and insert a malware in the > downloaded package. The only way to really fix it is to patch all PyPI > clients, including distribute.
The main problem at the moment is transferring passwords in plain text :-) If you gain access to the password of an account that manages popular packages, you don't need any of the MITM attacks - you simply modify the existing packages on the PyPI server. Moving to HTTPS will be a first step in making this harder. >> An alternative approach would be to make people more aware of >> the possibility to configure the PyPI site URL in a distutils >> config file (even globally) and changing the URL from HTTP >> to HTTPS there: >> >> * distutils config files: >> >> http://docs.python.org/2/install/index.html#inst-config-files >> >> * setuptools: >> >> http://peak.telecommunity.com/DevCenter/EasyInstall#configuration-files >> http://peak.telecommunity.com/DevCenter/EasyInstall#command-line-options >> (the option is called --index-url) >> >> * distribute: >> >> http://pythonhosted.org/distribute/easy_install.html#configuration-files >> http://pythonhosted.org/distribute/easy_install.html#reference-manual >> (the option is called --index-url) > > > The problem with this approach is that Python standard library does not > validate SSL certificates. So even if you force a urllib-based tool to access > PyPI through https, it doesn't help at all in case of a MITM attack. I know, but it's already a lot better than using HTTP (see above) :-) If we could get all servers talking HTTPS using validating certificates, that would already be a major step forward. This includes servers that provide bootstrapping for distribute/setuptools and pip, as well as the main PyPI server and all mirrors. PyPI will soon get a validating certificate. I'm not sure about distribute and the mirror servers. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
