On May 4, 2013, at 6:28 PM, PJ Eby <pje@telecommunity.com> wrote:
On Thu, May 2, 2013 at 1:41 PM, M.-A. Lemburg <mal@egenix.com> wrote:
On 25.04.2013 16:42, M.-A. Lemburg wrote:
The latest pip supports HTTPS URLs and certificate checks (according to the change log).
Will there be a release of distribute that implements the same changes ?
The current 0.6.36 still defaults to the HTTP PyPI address and doesn't do certificate checks.
FWIW, I've just checked in the first phase of my SSL implementation for setuptools, to the repository that Jason is doing merges from. The current implementation silently uses system-wide root certs from the Windows registry or from *nixes that have a well-known root bundle location. (But won't find anything on OS X by default). It also doesn't have any command-line options yet to explicitly select the certs used or to control SSL verification. But it does offer the ability to "easy_install setuptools[ssl]" to download verified copies of all the dependencies needed to get SSL support in earlier Pythons, including win32 binaries where applicable, without needing anything but the original setuptools distribution needing to have been downloaded manually via SSL.
There is still more that needs to be done besides command-line options, warnings, and docs; providing default root certs for OS X, for example. I've got a couple different ideas on that, from bundling the StartCom root cert that python.org uses, to creating a separate ca_bundle distribution that contains the files. There's another interesting gotcha with OS X certs, which is that the platform-provided openssl may check its built-in cert store in addition to what you give it explicitly, which could be a problem.
In short: providing practical, cross-platform, cross-wide-array-of-python-versions SSL support is *hard*. I'm not too surprised you haven't heard from anybody yet. ;-) _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
The easiest way is to just bundle the mozilla certs. They do all the work of keeping it up to date and validating them. If you're only supporting PYthon 2.6+ you can also just bundle requests and let it's cert stuff work. I think this is the ideal way if you're 2.6+ because it centralizes the codebase for dealing with SSL. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA