[Catalog-sig] PyPI and setuptools
Jesse Noller
jnoller at gmail.com
Tue Feb 12 19:44:25 CET 2013
>From antoine:
"""
Hostname matching is backported in
http://pypi.python.org/pypi/backports.ssl_match_hostname/
Regards
Antoine.
"""
On Tuesday, February 12, 2013 at 1:36 PM, PJ Eby wrote:
> On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <rasky at develer.com (mailto:rasky at develer.com)> wrote:
> > The problem with this approach is that Python standard library does not validate SSL certificates. So even if you force a urllib-based tool to access PyPI through https, it doesn't help at all in case of a MITM attack.
>
>
>
> FWIW, if someone provides a suitable *cross-platform* urllib
> monkeypatch that does certificate validation, even if it only
> validates PyPI's certificate, I'll add it to setuptools and issue a
> patch release that uses it, and has its default index URL updated to
> the https version.
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
More information about the Catalog-SIG
mailing list