[Catalog-sig] PyPI and setuptools
PJ Eby
pje at telecommunity.com
Wed Feb 13 00:43:46 CET 2013
On Tue, Feb 12, 2013 at 2:11 PM, Giovanni Bajo <rasky at develer.com> wrote:
> Il giorno 12/feb/2013, alle ore 19:36, PJ Eby <pje at telecommunity.com> ha scritto:
>
>> On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <rasky at develer.com> wrote:
>>> The problem with this approach is that Python standard library does not validate SSL certificates. So even if you force a urllib-based tool to access PyPI through https, it doesn't help at all in case of a MITM attack.
>>
>> FWIW, if someone provides a suitable *cross-platform* urllib
>> monkeypatch that does certificate validation, even if it only
>> validates PyPI's certificate, I'll add it to setuptools and issue a
>> patch release that uses it, and has its default index URL updated to
>> the https version.
>
>
> This is an option:
> https://gist.github.com/zed/1347055
>
> it's not a monkeypatch, but it's a handler. You probably want to include a CA bundle (eg: the Mozilla one like pip is doing), and use that by default.
Thanks! TBH, cert stuff makes my head hurt, which is why there's not
more of it in setuptools already: I hesitate to sprinkle a dash of
stuff I don't understand on top of other things and call the problem
solved. That seems like something of an antipattern to me.
But I suppose I'll need to learn some of it at least, in order to be
able to build a CA bundle, unless I steal whatever pip does. I can
start on integrating this in the meantime at least, and hopefully can
get it out around the same time that PyPI's cert is updated. I'm
nonetheless hesitant to conclude that the problem of security on *non*
PyPI sites or handling redirects or all the rest of it will all be
resolved in a single patch release, though.
More information about the Catalog-SIG
mailing list