[Catalog-sig] PyPI and setuptools
Giovanni Bajo
rasky at develer.com
Tue Feb 12 20:11:46 CET 2013
Il giorno 12/feb/2013, alle ore 19:36, PJ Eby <pje at telecommunity.com> ha scritto:
> On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <rasky at develer.com> wrote:
>> The problem with this approach is that Python standard library does not validate SSL certificates. So even if you force a urllib-based tool to access PyPI through https, it doesn't help at all in case of a MITM attack.
>
> FWIW, if someone provides a suitable *cross-platform* urllib
> monkeypatch that does certificate validation, even if it only
> validates PyPI's certificate, I'll add it to setuptools and issue a
> patch release that uses it, and has its default index URL updated to
> the https version.
This is an option:
https://gist.github.com/zed/1347055
it's not a monkeypatch, but it's a handler. You probably want to include a CA bundle (eg: the Mozilla one like pip is doing), and use that by default.
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130212/4c2ec516/attachment.bin>
More information about the Catalog-SIG
mailing list