[Catalog-sig] PyPI and setuptools
Donald Stufft
donald.stufft at gmail.com
Sun Feb 10 21:36:12 CET 2013
On Sunday, February 10, 2013 at 2:58 PM, Lennart Regebro wrote:
> On Sun, Feb 10, 2013 at 2:38 PM, Giovanni Bajo <rasky at develer.com (mailto:rasky at develer.com)> wrote:
> > So, both of these baind-aids do *not* solve the "i will intercept the password" problem. I'm not saying that they should not be done. I'm saying that you shouldn't believe they give *any* security to old clients.
>
>
> I think the way to go is to after a transition-period of forwarding,
> drop it and only allow https. This will break old clients. People will
> need to upgrade. Distribute currently supports Python 2.4 to 3.3,
> meaning that the changes we do will, after some period (which for me
> is the shorter the better) mean that we leave Python 2.3 with no
> smooth install-path. Instead each package will have to be installed
> separately.
>
>
You pretty much want to keep a http -> https redirect around because
its not a particularly nice error message if someone leaves out
the https:// when typing the PyPI url in the browser.
>
> You can install with
>
> easy_install
> https://pypi.python.org/packages/source/t/tzlocal/tzlocal-0.3.tar.gz#md5=078209f93b2250bb7a7bca05fa0b6d3d
>
> for example. Dependencies will be downloaded with http, meaning that
> they will fail, so you have to install each dependency separately.
>
> I'm OK with that situation for Python 2.3. It has after all not even
> had a security bug fix release since 2008, and has from what I
> understand been out of security release mode for years.
>
> //Lennart
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130210/c53ca56f/attachment.html>
More information about the Catalog-SIG
mailing list