[Catalog-sig] HTTPS now promoted on PyPI
M.-A. Lemburg
mal at egenix.com
Tue Feb 19 15:20:18 CET 2013
On 19.02.2013 14:47, M.-A. Lemburg wrote:
> On 19.02.2013 14:23, Giovanni Bajo wrote:
>> Il giorno 19/feb/2013, alle ore 06:13, Richard Jones <r1chardj0n3s at gmail.com> ha scritto:
>>
>>> Hi all,
>>>
>>> I've just altered the nginx configuration to promote (ie. redirect to)
>>> HTTPS for all GET/HEAD requests. This includes HSTS, but I've set the
>>> lifetime to 1 day just in case there's some HTTPS compatibility
>>> issues. Once it's bedded down I'll bump it to a year.
>>
>> What is the benefits of redirects? I think they just hide potential problems, and they still can be exploited by MITM through ssl-stripping. Plus, they cause breakage and/or UX problems in existing tools.
>>
>> Given that they give basically no security, I would suggest their removal until we fix all important issues in all third-party tools. For browsers, since you can still serve HSTS headers even without redirects, we can get it included in Chrome and Firefox builtin HSTS list.
>>
>>> 2. incorporate some monkey-patching into distribute and setuptools and
>>> promote those,
>>
>> I think this is our best bet for an immediate and global solution for outdated versions of Python as well. I will work to prepare a distutils patch that is compatible with 2.6 (which includes SSL), and then adapt it for 2.7 and 3.x.
>>
>> Do we have numbers of how many 2.5-compatible packages have been updated in the last 6 months?
>
> Older Zope and Plone installations still use Python 2.4, so I guess
> that's the first version we'd have to support. zc.buildout is used
> by those, which in return uses setuptools.
>
> AFAIR, the ssl module (https://pypi.python.org/pypi/ssl/) doesn't work
> well - we tried using it for our mxODBC Connect product and found too
> many issues/deficiencies, so dropped the idea. pyOpenSSL does support
> Python 2.4+ and does the job nicely.
These are the stats for binary files hosted on PyPI, broken down
by Python version and based on the new stats file Richard uploaded:
# wc *.csv
485 485 24074 2013-02-19-py2.3.csv
6458 6458 389553 2013-02-19-py2.4.csv
6639 6659 353739 2013-02-19-py2.5.csv
7629 7631 426457 2013-02-19-py2.6.csv
5519 5526 295462 2013-02-19-py2.7.csv
1351 1355 70731 2013-02-19-py3.x.csv
154857 155175 7917838 2013-02-19-totals.csv
Broken down by file types:
# wc *files.csv
25585 25598 1431013 2013-02-19-egg-files.csv
4619 4640 236694 2013-02-19-exe-files.csv
254 255 13402 2013-02-19-msi-files.csv
104691 104853 5251962 2013-02-19-tar-gz-files.csv
24 24 1221 2013-02-19-whl-files.csv
17937 18022 905913 2013-02-19-zip-files.csv
153110 153392 7840205 total
I'm sure a lot more useful information could be extracted
from the stats.
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Feb 19 2013)
>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Catalog-SIG
mailing list