[Catalog-sig] HTTPS now promoted on PyPI
Giovanni Bajo
rasky at develer.com
Tue Feb 19 14:23:39 CET 2013
Il giorno 19/feb/2013, alle ore 06:13, Richard Jones <r1chardj0n3s at gmail.com> ha scritto:
> Hi all,
>
> I've just altered the nginx configuration to promote (ie. redirect to)
> HTTPS for all GET/HEAD requests. This includes HSTS, but I've set the
> lifetime to 1 day just in case there's some HTTPS compatibility
> issues. Once it's bedded down I'll bump it to a year.
What is the benefits of redirects? I think they just hide potential problems, and they still can be exploited by MITM through ssl-stripping. Plus, they cause breakage and/or UX problems in existing tools.
Given that they give basically no security, I would suggest their removal until we fix all important issues in all third-party tools. For browsers, since you can still serve HSTS headers even without redirects, we can get it included in Chrome and Firefox builtin HSTS list.
> 2. incorporate some monkey-patching into distribute and setuptools and
> promote those,
I think this is our best bet for an immediate and global solution for outdated versions of Python as well. I will work to prepare a distutils patch that is compatible with 2.6 (which includes SSL), and then adapt it for 2.7 and 3.x.
Do we have numbers of how many 2.5-compatible packages have been updated in the last 6 months?
> 4. fix distutils (and accept a long lead time to actual impact), or
This can be done for mainline.
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130219/e5580ac3/attachment.bin>
More information about the Catalog-SIG
mailing list