[Catalog-sig] PyPI and setuptools

Jesse Noller jnoller at gmail.com
Wed Feb 13 01:03:12 CET 2013


The best thing you can do for the short term is ensure that you use https by default and do full cert validation

On Feb 12, 2013, at 6:43 PM, PJ Eby <pje at telecommunity.com> wrote:

> On Tue, Feb 12, 2013 at 2:11 PM, Giovanni Bajo <rasky at develer.com> wrote:
>> Il giorno 12/feb/2013, alle ore 19:36, PJ Eby <pje at telecommunity.com> ha scritto:
>> 
>>> On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <rasky at develer.com> wrote:
>>>> The problem with this approach is that Python standard library does not validate SSL certificates. So even if you force a urllib-based tool to access PyPI through https, it doesn't help at all in case of a MITM attack.
>>> 
>>> FWIW, if someone provides a suitable *cross-platform* urllib
>>> monkeypatch that does certificate validation, even if it only
>>> validates PyPI's certificate, I'll add it to setuptools and issue a
>>> patch release that uses it, and has its default index URL updated to
>>> the https version.
>> 
>> 
>> This is an option:
>> https://gist.github.com/zed/1347055
>> 
>> it's not a monkeypatch, but it's a handler. You probably want to include a CA bundle (eg: the Mozilla one like pip is doing), and use that by default.
> 
> Thanks!  TBH, cert stuff makes my head hurt, which is why there's not
> more of it in setuptools already: I hesitate to sprinkle a dash of
> stuff I don't understand on top of other things and call the problem
> solved.  That seems like something of an antipattern to me.
> 
> But I suppose I'll need to learn some of it at least, in order to be
> able to build a CA bundle, unless I steal whatever pip does.  I can
> start on integrating this in the meantime at least, and hopefully can
> get it out around the same time that PyPI's cert is updated.  I'm
> nonetheless hesitant to conclude that the problem of security on *non*
> PyPI sites or handling redirects or all the rest of it will all be
> resolved in a single patch release, though.
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig


More information about the Catalog-SIG mailing list