[Catalog-sig] Deprecate External Links

PJ Eby pje at telecommunity.com
Fri Mar 1 00:31:17 CET 2013

On Thu, Feb 28, 2013 at 5:00 PM, Donald Stufft <donald.stufft at gmail.com> wrote:
> SSL checking on upload should be possible, do you want
> a patch?

If it uses the 'requests' library, yes, I'll accept one.  But I don't
want to do any direct implementation of SSL cert checking in
setuptools, at least in the short run (next few weeks), because:

1. I don't consider myself qualified as yet to write a correct patch
or even verify that a contributed patch is correct/safe, and

2. There is a licensing issue with including the Mozilla root
certificate set in setuptools under its current license, and I'm not
100% certain I can *change* the license.  (I *could* potentially use a
platform-provided cert set, but that's not really an option on Windows
unless you have Windows expertise above my paygrade for pulling that
stuff out of the registry.)

So, by delegating to the requests library, I can bypass both of those
issues in the short term.  In the longer term (>1 month from now),
more integrated solutions may be more feasible.  Using "requests" is
the best I think I can reasonably achieve by PyCon, but I *will* be
publicizing a set of instructions for how to "safely" download
setuptools and requests (via https in a browser to prevent MITM
attacks), as well as how to configure easy_install for more secure
default settings.  (And easy_install will always use "requests" if
present, unless specifically asked not to with a --no-ssl-verify

More information about the Catalog-SIG mailing list