
Aug. 28, 2013
2:03 p.m.
On 8/28/13 8:37 AM, Christian Theune wrote:
I will also add a valid SSL certificate in the next minutes. What's your take on enforcing SSL e.g. via redirects?
I am not an expert, but I guess this depends on who is enforcing the SSL redirection. If someone untrusted can be a man-in-the-middle between your clients and http://pypi.gocept.com, then this man-in-the-middle should be able to redirect your HTTP-only clients anywhere else. I would venture that the best thing to do, if feasible, is to get your clients to point strictly to https://pypi.gocept.com and test that pip
= 1.3 verifies the SSL connection.