[Catalog-sig] HTTPS now promoted on PyPI
M.-A. Lemburg
mal at egenix.com
Tue Feb 19 14:47:43 CET 2013
On 19.02.2013 14:23, Giovanni Bajo wrote:
> Il giorno 19/feb/2013, alle ore 06:13, Richard Jones <r1chardj0n3s at gmail.com> ha scritto:
>
>> Hi all,
>>
>> I've just altered the nginx configuration to promote (ie. redirect to)
>> HTTPS for all GET/HEAD requests. This includes HSTS, but I've set the
>> lifetime to 1 day just in case there's some HTTPS compatibility
>> issues. Once it's bedded down I'll bump it to a year.
>
> What is the benefits of redirects? I think they just hide potential problems, and they still can be exploited by MITM through ssl-stripping. Plus, they cause breakage and/or UX problems in existing tools.
>
> Given that they give basically no security, I would suggest their removal until we fix all important issues in all third-party tools. For browsers, since you can still serve HSTS headers even without redirects, we can get it included in Chrome and Firefox builtin HSTS list.
>
>> 2. incorporate some monkey-patching into distribute and setuptools and
>> promote those,
>
> I think this is our best bet for an immediate and global solution for outdated versions of Python as well. I will work to prepare a distutils patch that is compatible with 2.6 (which includes SSL), and then adapt it for 2.7 and 3.x.
>
> Do we have numbers of how many 2.5-compatible packages have been updated in the last 6 months?
Older Zope and Plone installations still use Python 2.4, so I guess
that's the first version we'd have to support. zc.buildout is used
by those, which in return uses setuptools.
AFAIR, the ssl module (https://pypi.python.org/pypi/ssl/) doesn't work
well - we tried using it for our mxODBC Connect product and found too
many issues/deficiencies, so dropped the idea. pyOpenSSL does support
Python 2.4+ and does the job nicely.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 19 2013)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list