[Catalog-sig] Add link to secure connection to the PyPI front page

M.-A. Lemburg mal at egenix.com
Sat Jun 4 22:54:10 CEST 2011


Justin Cappos wrote:
> It depends on the threat model which is worse.
> 
> If you're worried about the Chinese govt inserting malicious packages
> to track dissidents then using an universally accepted SSL cert is a
> bad idea.   It's easy for a powerful and motivated attacker to get
> arbitrary certs signed.
> 
> If you think that the risk of having the certificate stolen, loss of
> administrative control, etc. is a bigger threat, then an universally
> accepted SSL cert seems the wiser outcome.
> 
> Of course, if distutils and other tools don't check certs, etc. this
> is all academic...

I think it has more to do with being user friendly than anything else.

A casual user seeing the Firefox warning about an untrusted connection
is likely going to revert to using the unsecure HTTP connection rather
than accepting an exception to get a secure HTTPS one.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jun 04 2011)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
2011-05-23: Released eGenix mx Base 3.2.0      http://python.egenix.com/
2011-05-25: Released mxODBC 3.1.1              http://python.egenix.com/
2011-06-20: EuroPython 2011, Florence, Italy               16 days to go

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/


More information about the Catalog-SIG mailing list