HTTPS and certificate check update for distribute ?
The latest pip supports HTTPS URLs and certificate checks (according to the change log). Will there be a release of distribute that implements the same changes ? The current 0.6.36 still defaults to the HTTP PyPI address and doesn't do certificate checks. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Apr 25 2013)
Python Projects, Consulting and Support ... http://www.egenix.com/ mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
2013-04-17: Released eGenix mx Base 3.2.6 ... http://egenix.com/go43 ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
On Thu, Apr 25, 2013 at 4:42 PM, M.-A. Lemburg <mal@egenix.com> wrote:
The latest pip supports HTTPS URLs and certificate checks (according to the change log). Will there be a release of distribute that implements the same changes ? And FWIW, the same question would be relevant for buildout that depends on distribute now. -- Philippe Ombredanne
+1 650 799 0949 | pombredanne@nexB.com DejaCode Enterprise at http://www.dejacode.com nexB Inc. at http://www.nexb.com
On 25.04.2013 16:42, M.-A. Lemburg wrote:
The latest pip supports HTTPS URLs and certificate checks (according to the change log).
Will there be a release of distribute that implements the same changes ?
The current 0.6.36 still defaults to the HTTP PyPI address and doesn't do certificate checks.
Hmm, given the lack of response, I guess this will take a little longer ;-) I've put Tarek on CC. Perhaps he can chime in... -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 02 2013)
Python Projects, Consulting and Support ... http://www.egenix.com/ mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
2013-04-30: Released eGenix PyRun 1.2.0 ... http://egenix.com/go44 ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
On Thu, May 2, 2013 at 1:41 PM, M.-A. Lemburg <mal@egenix.com> wrote:
On 25.04.2013 16:42, M.-A. Lemburg wrote:
The latest pip supports HTTPS URLs and certificate checks (according to the change log).
Will there be a release of distribute that implements the same changes ?
The current 0.6.36 still defaults to the HTTP PyPI address and doesn't do certificate checks.
FWIW, I've just checked in the first phase of my SSL implementation for setuptools, to the repository that Jason is doing merges from. The current implementation silently uses system-wide root certs from the Windows registry or from *nixes that have a well-known root bundle location. (But won't find anything on OS X by default). It also doesn't have any command-line options yet to explicitly select the certs used or to control SSL verification. But it does offer the ability to "easy_install setuptools[ssl]" to download verified copies of all the dependencies needed to get SSL support in earlier Pythons, including win32 binaries where applicable, without needing anything but the original setuptools distribution needing to have been downloaded manually via SSL. There is still more that needs to be done besides command-line options, warnings, and docs; providing default root certs for OS X, for example. I've got a couple different ideas on that, from bundling the StartCom root cert that python.org uses, to creating a separate ca_bundle distribution that contains the files. There's another interesting gotcha with OS X certs, which is that the platform-provided openssl may check its built-in cert store in addition to what you give it explicitly, which could be a problem. In short: providing practical, cross-platform, cross-wide-array-of-python-versions SSL support is *hard*. I'm not too surprised you haven't heard from anybody yet. ;-)
On May 4, 2013, at 6:28 PM, PJ Eby <pje@telecommunity.com> wrote:
On Thu, May 2, 2013 at 1:41 PM, M.-A. Lemburg <mal@egenix.com> wrote:
On 25.04.2013 16:42, M.-A. Lemburg wrote:
The latest pip supports HTTPS URLs and certificate checks (according to the change log).
Will there be a release of distribute that implements the same changes ?
The current 0.6.36 still defaults to the HTTP PyPI address and doesn't do certificate checks.
FWIW, I've just checked in the first phase of my SSL implementation for setuptools, to the repository that Jason is doing merges from. The current implementation silently uses system-wide root certs from the Windows registry or from *nixes that have a well-known root bundle location. (But won't find anything on OS X by default). It also doesn't have any command-line options yet to explicitly select the certs used or to control SSL verification. But it does offer the ability to "easy_install setuptools[ssl]" to download verified copies of all the dependencies needed to get SSL support in earlier Pythons, including win32 binaries where applicable, without needing anything but the original setuptools distribution needing to have been downloaded manually via SSL.
There is still more that needs to be done besides command-line options, warnings, and docs; providing default root certs for OS X, for example. I've got a couple different ideas on that, from bundling the StartCom root cert that python.org uses, to creating a separate ca_bundle distribution that contains the files. There's another interesting gotcha with OS X certs, which is that the platform-provided openssl may check its built-in cert store in addition to what you give it explicitly, which could be a problem.
In short: providing practical, cross-platform, cross-wide-array-of-python-versions SSL support is *hard*. I'm not too surprised you haven't heard from anybody yet. ;-) _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
The easiest way is to just bundle the mozilla certs. They do all the work of keeping it up to date and validating them. If you're only supporting PYthon 2.6+ you can also just bundle requests and let it's cert stuff work. I think this is the ideal way if you're 2.6+ because it centralizes the codebase for dealing with SSL. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On Sat, May 4, 2013 at 8:01 PM, Donald Stufft <donald@stufft.io> wrote:
The easiest way is to just bundle the mozilla certs. They do all the work of keeping it up to date and validating them.
Actually, it turns out that there's already a separately-distributed, separately licensed PyPI package for this: https://pypi.python.org/pypi/certifi So I've just added support for it to my implementation, so that if the Windows registry or well-known systemwide locations aren't available, it'll fall back automatically. So at this point about all that's left is docs and command-line options. I was previously intending to make this stuff part of an 0.6c12 release, but at this point Jason seems to be finishing up most of the merge work, and this new stuff might need some beta testing anyway, so probably it'll actually land in post-merge 0.7b stuff.
If you're only supporting PYthon 2.6+
If that were the case, I'd have been done a *long* time ago. ;-) (Setuptools still supports Python 2.3.)
On May 5, 2013, at 2:48 PM, PJ Eby <pje@telecommunity.com> wrote:
On Sat, May 4, 2013 at 8:01 PM, Donald Stufft <donald@stufft.io> wrote:
The easiest way is to just bundle the mozilla certs. They do all the work of keeping it up to date and validating them.
Actually, it turns out that there's already a separately-distributed, separately licensed PyPI package for this: https://pypi.python.org/pypi/certifi
I'm not sure if Kenneth is keeping certifi up to date anymore because he made certifi for bundling the mozilla certs with requests and has since started to bundle them directly. If he's not we might want to find someone to take it over if he'll give it up if setuptools is going to use it. License shouldn't be an issue though because the MPL is a per file not per project license FWIW. I've included Kenneth to see if he is or has any plans to keep certifi up to date.
So I've just added support for it to my implementation, so that if the Windows registry or well-known systemwide locations aren't available, it'll fall back automatically. So at this point about all that's left is docs and command-line options.
I was previously intending to make this stuff part of an 0.6c12 release, but at this point Jason seems to be finishing up most of the merge work, and this new stuff might need some beta testing anyway, so probably it'll actually land in post-merge 0.7b stuff.
If you're only supporting PYthon 2.6+
If that were the case, I'd have been done a *long* time ago. ;-) (Setuptools still supports Python 2.3.)
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On 05.05.2013 00:28, PJ Eby wrote:
On Thu, May 2, 2013 at 1:41 PM, M.-A. Lemburg <mal@egenix.com> wrote:
On 25.04.2013 16:42, M.-A. Lemburg wrote:
The latest pip supports HTTPS URLs and certificate checks (according to the change log).
Will there be a release of distribute that implements the same changes ?
The current 0.6.36 still defaults to the HTTP PyPI address and doesn't do certificate checks.
FWIW, I've just checked in the first phase of my SSL implementation for setuptools, to the repository that Jason is doing merges from. The current implementation silently uses system-wide root certs from the Windows registry or from *nixes that have a well-known root bundle location. (But won't find anything on OS X by default). It also doesn't have any command-line options yet to explicitly select the certs used or to control SSL verification. But it does offer the ability to "easy_install setuptools[ssl]" to download verified copies of all the dependencies needed to get SSL support in earlier Pythons, including win32 binaries where applicable, without needing anything but the original setuptools distribution needing to have been downloaded manually via SSL.
There is still more that needs to be done besides command-line options, warnings, and docs; providing default root certs for OS X, for example. I've got a couple different ideas on that, from bundling the StartCom root cert that python.org uses, to creating a separate ca_bundle distribution that contains the files. There's another interesting gotcha with OS X certs, which is that the platform-provided openssl may check its built-in cert store in addition to what you give it explicitly, which could be a problem.
In short: providing practical, cross-platform, cross-wide-array-of-python-versions SSL support is *hard*. I'm not too surprised you haven't heard from anybody yet. ;-)
http://www.egenix.com/products/python/pyOpenSSL/ -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, May 05 2013)
Python Projects, Consulting and Support ... http://www.egenix.com/ mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
2013-04-30: Released eGenix PyRun 1.2.0 ... http://egenix.com/go44 ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/
participants (4)
-
Donald Stufft -
M.-A. Lemburg -
Philippe Ombredanne -
PJ Eby