[Catalog-sig] HTTPS now promoted on PyPI

holger krekel holger at merlinux.eu
Tue Feb 19 14:27:06 CET 2013


On Tue, Feb 19, 2013 at 14:23 +0100, Giovanni Bajo wrote:
> Il giorno 19/feb/2013, alle ore 06:13, Richard Jones <r1chardj0n3s at gmail.com> ha scritto:
> 
> > Hi all,
> > 
> > I've just altered the nginx configuration to promote (ie. redirect to)
> > HTTPS for all GET/HEAD requests. This includes HSTS, but I've set the
> > lifetime to 1 day just in case there's some HTTPS compatibility
> > issues. Once it's bedded down I'll bump it to a year.
> 
> What is the benefits of redirects? I think they just hide potential problems, and they still can be exploited by MITM through ssl-stripping. Plus, they cause breakage and/or UX problems in existing tools. 
> 
> Given that they give basically no security, I would suggest their removal until we fix all important issues in all third-party tools. For browsers, since you can still serve HSTS headers even without redirects, we can get it included in Chrome and Firefox builtin HSTS list.
> 
> > 2. incorporate some monkey-patching into distribute and setuptools and
> > promote those,
> 
> I think this is our best bet for an immediate and global solution for outdated versions of Python as well. I will work to prepare a distutils patch that is compatible with 2.6 (which includes SSL), and then adapt it for 2.7 and 3.x. 
> 
> Do we have numbers of how many 2.5-compatible packages have been updated in the last 6 months?

FYI i did a number of py25 compatible releases of projects in the last 6
months - but i generally upload the dist files from higher python
versions, so no patch for 2.5 needed (or 2.6 for that matter).

best,
holger


More information about the Catalog-SIG mailing list