Changes by Antoine Pitrou pit...@free.fr:
--
assignee: eric.araujo -
versions: -Python 2.6
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
Roundup Robot added the comment:
New changeset 32a39ec6bd75 by Antoine Pitrou in branch '2.7':
Issue #12226: HTTPS is now used by default when connecting to PyPI.
http://hg.python.org/cpython/rev/32a39ec6bd75
--
nosy: +python-dev
___
Python tracker
Roundup Robot added the comment:
New changeset 2b5cd6d4d149 by Antoine Pitrou in branch '3.2':
Issue #12226: HTTPS is now used by default when connecting to PyPI.
http://hg.python.org/cpython/rev/2b5cd6d4d149
New changeset e5a9755c967c by Antoine Pitrou in branch '3.3':
Issue #12226: HTTPS is
Antoine Pitrou added the comment:
Closing as fixed, and opening a new issue for cert checking.
--
resolution: - fixed
stage: - committed/rejected
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
Éric Araujo added the comment:
Donald assesses that porting the changeset to 2.7 would “make things a little
nicer”, as it protects from passive attacks only. The change is small. What
do people think?
--
___
Python tracker rep...@bugs.python.org
Antoine Pitrou added the comment:
Well, passive attacks are the easiest to mount by a casual attacker, so I think
this is important to get in.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
Christian Heimes added the comment:
How about:
- load ca cert from default verify locations
- try connect with CERT_REQUIRED
- print warning when cert validation fails and try again with CERT_NONE
- match hostname otherwise
At least this warns the user about the issue. Is there way to
anatoly techtonik added the comment:
How come that this CVE is still present in just released 2.7.6?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
anatoly techtonik added the comment:
This should have been backported to Python 2. I expect some related attacks on
EuroPython.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
Donald Stufft added the comment:
I would +! backporting this, but It's not massively required since it only
protects against passive attacks.
It would however make things a little nicer.
--
___
Python tracker rep...@bugs.python.org
anatoly techtonik added the comment:
If somebody sponsor my visit to EuroPython, I will dedicate some time to
prepare a demo uploading rogue packages using sniffed credentials over WiFi
without owner's consent. After moving to CDN no upload logs are available, so
it is even more secure for
Donald Stufft added the comment:
Uploading always hits the backend servers and thus has the same logging as
before
Merely switching to HTTPS only provides protections against passive attacks.
You need verification to protect against active attacks (which are simple and
easy to do as well).
Benjamin Peterson added the comment:
This is true, but if we get proper certificate checking, this should
automatically work correctly then.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
Éric Araujo added the comment:
I’m not sure what “this” refers to (in “This is true” and “this should
automatically work correctly”).
My only concern is to avoid giving a false sense of security, so my initial
stance was all-or-nothing. However with the recent trend of incremental
Benjamin Peterson added the comment:
By this, I meant the change I made. It was made in consultation with Richard
Jones (added to nosy) at the PyCon sprints.
--
nosy: +richard
___
Python tracker rep...@bugs.python.org
Donald Stufft added the comment:
Using HTTPS without a Certificate prevents passive attacks but not active
attacks. It puts things in a _better_ situation but not the ideal situation.
--
nosy: +dstufft
___
Python tracker rep...@bugs.python.org
Éric Araujo added the comment:
Benjamin, you committed a change to use HTTPS instead of HTTP. In this bug
report, we were having a discussion about the false/incomplete security that
this provides if there is no certificate checking. What are your thoughts on
that?
--
Arfrever Frehtes Taifersar Arahesis added the comment:
New changeset f86d46a580d8 by Benjamin Peterson in branch 'default':
use the HTTPS for pypi upload
http://hg.python.org/cpython/rev/f86d46a580d8
--
___
Python tracker rep...@bugs.python.org
Giovanni Bajo added the comment:
Please notice that a redesign of PyPI and package security is ongoing in
catalog-sig.
--
nosy: +Giovanni.Bajo
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
Changes by Devin Cook devin.c.c...@gmail.com:
--
nosy: +devin
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
___
Python-bugs-list mailing
Christian Heimes added the comment:
CVE-2013-1754 Man-in-the-middle vulnerability in package upload feature of
Python's distutils
--
nosy: +christian.heimes
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
Changes by Christian Heimes li...@cheimes.de:
--
nosy: +benjamin.peterson, georg.brandl, larry
priority: normal - release blocker
versions: +Python 3.4 -Python 3.1
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
Changes by Christian Heimes li...@cheimes.de:
--
dependencies: +Include CA bundle and provide access to system's CA
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
Changes by Éric Araujo mer...@netwok.org:
--
assignee: tarek - eric.araujo
priority: release blocker - high
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
anatoly techtonik techto...@gmail.com added the comment:
This simple patch slipped off 2.7.2. Why?
--
title: use secured channel for uploading packages to pypi - use HTTPS by
default for uploading packages to pypi
___
Python tracker
Éric Araujo mer...@netwok.org added the comment:
Because it’s not finished.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
___
anatoly techtonik techto...@gmail.com added the comment:
What is left?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
___
Éric Araujo mer...@netwok.org added the comment:
Certificate checking.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
___
anatoly techtonik techto...@gmail.com added the comment:
That's the issue12358.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
___
29 matches
Mail list logo
