On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <ra...@develer.com> wrote: > The problem with this approach is that Python standard library does not > validate SSL certificates. So even if you force a urllib-based tool to access > PyPI through https, it doesn't help at all in case of a MITM attack.
FWIW, if someone provides a suitable *cross-platform* urllib monkeypatch that does certificate validation, even if it only validates PyPI's certificate, I'll add it to setuptools and issue a patch release that uses it, and has its default index URL updated to the https version. _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
