[Catalog-sig] SSL for PyPI

Tres Seaver tseaver at palladion.com
Tue Feb 23 20:48:41 CET 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

William McVey wrote:
> Sorry if this is the wrong group (if it is, please redirect me to the
> proper list), but I'd like suggest  that PyPI  be available via SSL
> protection.  Obviously, I'd be willing to help with this effort as
> well. It occurred to me as I was at PyCon 'pip install'ing away that
> there was a real possibility of man-in-the-middle manipulations of
> both the content of the packages downloaded as well as the actual
> resolution of where packages were located (especially over an open
> public wifi network). I certainly understand that turning off the
> cleartext PyPI interface is not something that could be considered for
> a very-long time, but it'd be nice if  those individuals who were
> concerned about the potential for attack had an option to pull PyPI
> info over a protected channel. And even if people weren't concerned,
> if it were perhaps the default option in their environment, their
> security posture could be improved.
> 
>>From a technology standpoint, it should be straightforward to get an
> SSL certificate for pypi.python.org, and then configure the web server
> to provide the exact same content as the exising
> http://pypi.python.org site. From the client side, I'd suggest an
> extension/patch to pip (and easy_install) to use the SSL protected
> version of PyPI when available. Obviously doing  certificate validity
> on the client side would require either python 2.6 or third party
> packages, but even a warning announcing that the updates/installs were
> happening over cleartext network would make people aware.

Sounds like a good plan to me:  no software development required on the
server side, only some very well-understood sysadmin.  Clients can catch
up once the https:// URLs work.


Tres.
- --
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkuEMRIACgkQ+gerLs4ltQ4GnQCbB+ZKbKBFOniB82s2LyNkg2Ad
1XIAoNwAWFfpOzosa7XdvacDuMzGlJ98
=u3hg
-----END PGP SIGNATURE-----

More information about the Catalog-SIG mailing list