[Catalog-sig] Deprecate External Links

Donald Stufft donald.stufft at gmail.com
Fri Mar 1 00:36:02 CET 2013

On Thursday, February 28, 2013 at 6:31 PM, PJ Eby wrote:
> On Thu, Feb 28, 2013 at 5:00 PM, Donald Stufft <donald.stufft at gmail.com (mailto:donald.stufft at gmail.com)> wrote:
> > SSL checking on upload should be possible, do you want
> > a patch?
> > 
> If it uses the 'requests' library, yes, I'll accept one. But I don't
> want to do any direct implementation of SSL cert checking in
> setuptools, at least in the short run (next few weeks), because:

Does setuptools support Python3? (or do you want it to?) 
> 1. I don't consider myself qualified as yet to write a correct patch
> or even verify that a contributed patch is correct/safe, and

There's existing implementations out there that add cert checking
to urllib, it's fairly short. 
> 2. There is a licensing issue with including the Mozilla root
> certificate set in setuptools under its current license, and I'm not
> 100% certain I can *change* the license. (I *could* potentially use a
> platform-provided cert set, but that's not really an option on Windows
> unless you have Windows expertise above my paygrade for pulling that
> stuff out of the registry.)

Shouldn't be any issue, the PSF license is very liberal and the MPL
works on a per file (as opposed to a per project) basis. So if you
include the cert bundle that particular file is MPL licensed while
setuptools itself remains PSF.
> So, by delegating to the requests library, I can bypass both of those
> issues in the short term. In the longer term (>1 month from now),
> more integrated solutions may be more feasible. Using "requests" is
> the best I think I can reasonably achieve by PyCon, but I *will* be
> publicizing a set of instructions for how to "safely" download
> setuptools and requests (via https in a browser to prevent MITM
> attacks), as well as how to configure easy_install for more secure
> default settings. (And easy_install will always use "requests" if
> present, unless specifically asked not to with a --no-ssl-verify
> option.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130228/f29d5190/attachment.html>

More information about the Catalog-SIG mailing list