Sniffing passwords from PyPI using insecure connection
Hi, I'd like to escalate http://bugs.python.org/issue12226 : 'use secured channel for uploading packages to pypi' to be shipped with next Python 2.6+ This will prevent pydotorg password sniffing when submitting packages through public networks (such as hotels). -- anatoly t.
On 5/31/2011 1:04 PM, anatoly techtonik wrote:
Hi,
I'd like to escalate http://bugs.python.org/issue12226 : 'use secured channel for uploading packages to pypi' to be shipped with next Python 2.6+ This will prevent pydotorg password sniffing when submitting packages through public networks (such as hotels).
The requested one character change is - DEFAULT_REPOSITORY = 'http://pypi.python.org/pypi' + DEFAULT_REPOSITORY = 'https://pypi.python.org/pypi' If Tarek (or perhaps Eric) agree that it is appropriate and otherwise innocuous, then Martin and Barry can decide whether to include in 2.5/2.6. Terry Jan Reedy
The requested one character change is - DEFAULT_REPOSITORY = 'http://pypi.python.org/pypi' + DEFAULT_REPOSITORY = 'https://pypi.python.org/pypi'
If Tarek (or perhaps Eric) agree that it is appropriate and otherwise innocuous, then Martin and Barry can decide whether to include in 2.5/2.6.
I don't plan any further 2.5 releases, so unless a critical security issue pops up, 2.5.6 will have been the last release. Regards, Martin
On 6/1/2011 1:37 AM, "Martin v. Löwis" wrote:
The requested one character change is - DEFAULT_REPOSITORY = 'http://pypi.python.org/pypi' + DEFAULT_REPOSITORY = 'https://pypi.python.org/pypi'
If Tarek (or perhaps Eric) agree that it is appropriate and otherwise innocuous, then Martin and Barry can decide whether to include in 2.5/2.6.
I don't plan any further 2.5 releases, so unless a critical security issue pops up, 2.5.6 will have been the last release.
OK. I removed 2.5 from all open issues, closing a few. You could remove 2.5 from the displayed version list so that people cannot add it back or to new issues. -- Terry Jan Reedy
On Jun 01, 2011, at 02:33 AM, Terry Reedy wrote:
The requested one character change is - DEFAULT_REPOSITORY = 'http://pypi.python.org/pypi' + DEFAULT_REPOSITORY = 'https://pypi.python.org/pypi'
If Tarek (or perhaps Eric) agree that it is appropriate and otherwise innocuous, then Martin and Barry can decide whether to include in 2.5/2.
On 6/1/2011 1:37 AM, "Martin v. Löwis" wrote: 6.
I don't plan any further 2.5 releases, so unless a critical security issue pops up, 2.5.6 will have been the last release.
OK. I removed 2.5 from all open issues, closing a few. You could remove 2.5 from the displayed version list so that people cannot add it back or to new issues.
I followed up on the tracker. I'm +0 on adding this to 2.6, but not until after the 2.6.7 release on Friday. How well has this change been tested? Are there people for whom this could break things? -Barry
I followed up on the tracker. I'm +0 on adding this to 2.6, but not until after the 2.6.7 release on Friday.
How well has this change been tested? Are there people for whom this could break things?
As others have pointed out: it would break systems that don't have the _ssl module built. Regards, Martin
On Fri, Jun 3, 2011 at 11:40 PM, "Martin v. Löwis"
I followed up on the tracker. I'm +0 on adding this to 2.6, but not until after the 2.6.7 release on Friday.
How well has this change been tested? Are there people for whom this could break things?
As others have pointed out: it would break systems that don't have the _ssl module built.
yeah, we would need to fallback to http in that case. while using https by default is a nice addition, maybe we should also look at adding a scp-like upload/register command, since the server has now this ability.
Regards, Martin _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/ziade.tarek%40gmail.com
-- Tarek Ziadé | http://ziade.org
participants (5)
-
"Martin v. Löwis" -
anatoly techtonik -
Barry Warsaw -
Tarek Ziadé -
Terry Reedy