anatoly techtonik <techto...@gmail.com> added the comment: On Sat, Jun 4, 2011 at 5:33 PM, Éric Araujo <rep...@bugs.python.org> wrote:> >> I think there should be a warning that the connection is >> unauthenticated (i.e. not secure). Users tend to be upset if they see >> 'https' and later find out that no certificates were verified. > > Thanks Stephan, that was on my mind but I forgot it. I’m -1 on using https > if no validation is performed.
It will be more professional if you could also explain why. Thanks. >> I believe that's a very personal judgement. > Not really; it’s an explanation of our release rules, exposed by one of the > older developers. Release rules should be clear enough not to require explanation. >> For me exposing core Python development accounts is a fundamental >> flaw. > What is a core Python development account? 'core' is not the best word here, so it needs an explanation. Any account on PyPI that uploads packages used for in enterprise deployment schemes imposes a danger. Potential target are identified using 'popularity package/developer activity' rating to reduce the risk. These are the primary targets for an attack, which I called 'core'. 'primary' would be a better name probably. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue12226> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com