Éric Araujo <mer...@netwok.org> added the comment: >> Thanks Stephan, that was on my mind but I forgot it. I’m -1 on >> using https if no validation is performed. > It will be more professional if you could also explain why.
If you make an HTTPS connection without checking the certificate, what security does it add? > > Not really; it’s an explanation of our release rules, exposed by >> one of the older developers. > Release rules should be clear enough not to require explanation. Explanations make them clear. > Any account on PyPI that uploads packages used for in enterprise > deployment schemes imposes a danger. Sidenote: I don’t want to give less security to non-enterprise users. Anyway, I understand your point now: insecure upload and download are vulnerable to MITM attacks, and encouraging HTTPS use (through default value + docs) would help against that. I am supportive of a patch, but it doesn’t mean the release process should not be followed. See also #11357 and #8561 about download security. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue12226> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
