The best thing you can do for the short term is ensure that you use https by default and do full cert validation
On Feb 12, 2013, at 6:43 PM, PJ Eby <p...@telecommunity.com> wrote: > On Tue, Feb 12, 2013 at 2:11 PM, Giovanni Bajo <ra...@develer.com> wrote: >> Il giorno 12/feb/2013, alle ore 19:36, PJ Eby <p...@telecommunity.com> ha >> scritto: >> >>> On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <ra...@develer.com> wrote: >>>> The problem with this approach is that Python standard library does not >>>> validate SSL certificates. So even if you force a urllib-based tool to >>>> access PyPI through https, it doesn't help at all in case of a MITM attack. >>> >>> FWIW, if someone provides a suitable *cross-platform* urllib >>> monkeypatch that does certificate validation, even if it only >>> validates PyPI's certificate, I'll add it to setuptools and issue a >>> patch release that uses it, and has its default index URL updated to >>> the https version. >> >> >> This is an option: >> https://gist.github.com/zed/1347055 >> >> it's not a monkeypatch, but it's a handler. You probably want to include a >> CA bundle (eg: the Mozilla one like pip is doing), and use that by default. > > Thanks! TBH, cert stuff makes my head hurt, which is why there's not > more of it in setuptools already: I hesitate to sprinkle a dash of > stuff I don't understand on top of other things and call the problem > solved. That seems like something of an antipattern to me. > > But I suppose I'll need to learn some of it at least, in order to be > able to build a CA bundle, unless I steal whatever pip does. I can > start on integrating this in the meantime at least, and hopefully can > get it out around the same time that PyPI's cert is updated. I'm > nonetheless hesitant to conclude that the problem of security on *non* > PyPI sites or handling redirects or all the rest of it will all be > resolved in a single patch release, though. > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/mailman/listinfo/catalog-sig _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
