On Tue, Feb 12, 2013 at 2:11 PM, Giovanni Bajo <[email protected]> wrote: > Il giorno 12/feb/2013, alle ore 19:36, PJ Eby <[email protected]> ha > scritto: > >> On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <[email protected]> wrote: >>> The problem with this approach is that Python standard library does not >>> validate SSL certificates. So even if you force a urllib-based tool to >>> access PyPI through https, it doesn't help at all in case of a MITM attack. >> >> FWIW, if someone provides a suitable *cross-platform* urllib >> monkeypatch that does certificate validation, even if it only >> validates PyPI's certificate, I'll add it to setuptools and issue a >> patch release that uses it, and has its default index URL updated to >> the https version. > > > This is an option: > https://gist.github.com/zed/1347055 > > it's not a monkeypatch, but it's a handler. You probably want to include a CA > bundle (eg: the Mozilla one like pip is doing), and use that by default.
Thanks! TBH, cert stuff makes my head hurt, which is why there's not more of it in setuptools already: I hesitate to sprinkle a dash of stuff I don't understand on top of other things and call the problem solved. That seems like something of an antipattern to me. But I suppose I'll need to learn some of it at least, in order to be able to build a CA bundle, unless I steal whatever pip does. I can start on integrating this in the meantime at least, and hopefully can get it out around the same time that PyPI's cert is updated. I'm nonetheless hesitant to conclude that the problem of security on *non* PyPI sites or handling redirects or all the rest of it will all be resolved in a single patch release, though. _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
