On Sunday, February 10, 2013 at 2:58 PM, Lennart Regebro wrote: > On Sun, Feb 10, 2013 at 2:38 PM, Giovanni Bajo <[email protected] > (mailto:[email protected])> wrote: > > So, both of these baind-aids do *not* solve the "i will intercept the > > password" problem. I'm not saying that they should not be done. I'm saying > > that you shouldn't believe they give *any* security to old clients. > > > I think the way to go is to after a transition-period of forwarding, > drop it and only allow https. This will break old clients. People will > need to upgrade. Distribute currently supports Python 2.4 to 3.3, > meaning that the changes we do will, after some period (which for me > is the shorter the better) mean that we leave Python 2.3 with no > smooth install-path. Instead each package will have to be installed > separately. > >
You pretty much want to keep a http -> https redirect around because its not a particularly nice error message if someone leaves out the https:// when typing the PyPI url in the browser. > > You can install with > > easy_install > https://pypi.python.org/packages/source/t/tzlocal/tzlocal-0.3.tar.gz#md5=078209f93b2250bb7a7bca05fa0b6d3d > > for example. Dependencies will be downloaded with http, meaning that > they will fail, so you have to install each dependency separately. > > I'm OK with that situation for Python 2.3. It has after all not even > had a security bug fix release since 2008, and has from what I > understand been out of security release mode for years. > > //Lennart > _______________________________________________ > Catalog-SIG mailing list > [email protected] (mailto:[email protected]) > http://mail.python.org/mailman/listinfo/catalog-sig > >
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
