On Thursday, February 28, 2013 at 6:31 PM, PJ Eby wrote: > On Thu, Feb 28, 2013 at 5:00 PM, Donald Stufft <donald.stu...@gmail.com > (mailto:donald.stu...@gmail.com)> wrote: > > SSL checking on upload should be possible, do you want > > a patch? > > > > > If it uses the 'requests' library, yes, I'll accept one. But I don't > want to do any direct implementation of SSL cert checking in > setuptools, at least in the short run (next few weeks), because: > >
Does setuptools support Python3? (or do you want it to?) > > 1. I don't consider myself qualified as yet to write a correct patch > or even verify that a contributed patch is correct/safe, and > > There's existing implementations out there that add cert checking to urllib, it's fairly short. > > 2. There is a licensing issue with including the Mozilla root > certificate set in setuptools under its current license, and I'm not > 100% certain I can *change* the license. (I *could* potentially use a > platform-provided cert set, but that's not really an option on Windows > unless you have Windows expertise above my paygrade for pulling that > stuff out of the registry.) > > Shouldn't be any issue, the PSF license is very liberal and the MPL works on a per file (as opposed to a per project) basis. So if you include the cert bundle that particular file is MPL licensed while setuptools itself remains PSF. > > So, by delegating to the requests library, I can bypass both of those > issues in the short term. In the longer term (>1 month from now), > more integrated solutions may be more feasible. Using "requests" is > the best I think I can reasonably achieve by PyCon, but I *will* be > publicizing a set of instructions for how to "safely" download > setuptools and requests (via https in a browser to prevent MITM > attacks), as well as how to configure easy_install for more secure > default settings. (And easy_install will always use "requests" if > present, unless specifically asked not to with a --no-ssl-verify > option.) > >
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig