[Catalog-sig] Add link to secure connection to the PyPI front page
M.-A. Lemburg
mal at egenix.com
Sat Jun 4 22:54:10 CEST 2011
Justin Cappos wrote:
> It depends on the threat model which is worse.
>
> If you're worried about the Chinese govt inserting malicious packages
> to track dissidents then using an universally accepted SSL cert is a
> bad idea. It's easy for a powerful and motivated attacker to get
> arbitrary certs signed.
>
> If you think that the risk of having the certificate stolen, loss of
> administrative control, etc. is a bigger threat, then an universally
> accepted SSL cert seems the wiser outcome.
>
> Of course, if distutils and other tools don't check certs, etc. this
> is all academic...
I think it has more to do with being user friendly than anything else.
A casual user seeing the Firefox warning about an untrusted connection
is likely going to revert to using the unsecure HTTP connection rather
than accepting an exception to get a secure HTTPS one.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Jun 04 2011)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
2011-05-23: Released eGenix mx Base 3.2.0 http://python.egenix.com/
2011-05-25: Released mxODBC 3.1.1 http://python.egenix.com/
2011-06-20: EuroPython 2011, Florence, Italy 16 days to go
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list