[Catalog-sig] HTTPS now promoted on PyPI
Ian Cordasco
graffatcolmingov at gmail.com
Tue Feb 19 14:29:30 CET 2013
I still have versions of 2.6 installed that I can help you test with if you
would like. I also have an older version of OpenSSL on one of them (0.9.8 I
think) which I know causes issues for some people.
On Feb 19, 2013 8:23 AM, "Giovanni Bajo" <rasky at develer.com> wrote:
> Il giorno 19/feb/2013, alle ore 06:13, Richard Jones <
> r1chardj0n3s at gmail.com> ha scritto:
>
> > Hi all,
> >
> > I've just altered the nginx configuration to promote (ie. redirect to)
> > HTTPS for all GET/HEAD requests. This includes HSTS, but I've set the
> > lifetime to 1 day just in case there's some HTTPS compatibility
> > issues. Once it's bedded down I'll bump it to a year.
>
> What is the benefits of redirects? I think they just hide potential
> problems, and they still can be exploited by MITM through ssl-stripping.
> Plus, they cause breakage and/or UX problems in existing tools.
>
> Given that they give basically no security, I would suggest their removal
> until we fix all important issues in all third-party tools. For browsers,
> since you can still serve HSTS headers even without redirects, we can get
> it included in Chrome and Firefox builtin HSTS list.
>
> > 2. incorporate some monkey-patching into distribute and setuptools and
> > promote those,
>
> I think this is our best bet for an immediate and global solution for
> outdated versions of Python as well. I will work to prepare a distutils
> patch that is compatible with 2.6 (which includes SSL), and then adapt it
> for 2.7 and 3.x.
>
> Do we have numbers of how many 2.5-compatible packages have been updated
> in the last 6 months?
>
> > 4. fix distutils (and accept a long lead time to actual impact), or
>
> This can be done for mainline.
> --
> Giovanni Bajo :: rasky at develer.com
> Develer S.r.l. :: http://www.develer.com
>
> My Blog: http://giovanni.bajo.it
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130219/9828f40a/attachment.html>
More information about the Catalog-SIG
mailing list