Il giorno 12/feb/2013, alle ore 19:36, PJ Eby <[email protected]> ha scritto:
> On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <[email protected]> wrote: >> The problem with this approach is that Python standard library does not >> validate SSL certificates. So even if you force a urllib-based tool to >> access PyPI through https, it doesn't help at all in case of a MITM attack. > > FWIW, if someone provides a suitable *cross-platform* urllib > monkeypatch that does certificate validation, even if it only > validates PyPI's certificate, I'll add it to setuptools and issue a > patch release that uses it, and has its default index URL updated to > the https version. This is an option: https://gist.github.com/zed/1347055 it's not a monkeypatch, but it's a handler. You probably want to include a CA bundle (eg: the Mozilla one like pip is doing), and use that by default. -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
