[Distutils] PEP449 - Removal of the PyPI Mirror Auto Discovery and Naming Scheme

Christian Theune ct at gocept.com
Wed Aug 28 18:09:38 CEST 2013

On 28. Aug2013, at 4:03 PM, Trishank Karthik Kuppusamy <tk47 at students.poly.edu> wrote:

> On 8/28/13 8:37 AM, Christian Theune wrote:
>> I will also add a valid SSL certificate in the next minutes. What's your take on enforcing SSL e.g. via redirects?
> I am not an expert, but I guess this depends on who is enforcing the SSL redirection. If someone untrusted can be a man-in-the-middle between your clients and http://pypi.gocept.com, then this man-in-the-middle should be able to redirect your HTTP-only clients anywhere else.

Right. It doesn't add any security on its own, but it's a way that people can discover you're using SSL. :) I'll have to read up on how to do HSTS actually … 

> I would venture that the best thing to do, if feasible, is to get your clients to point strictly to https://pypi.gocept.com and test that pip >= 1.3 verifies the SSL connection.



Christian Theune · gocept gmbh & co. kg
flyingcircus.io · operations as a service
Forsterstraße 29 · 06112 Halle (Saale) · Tel +49 345 1229889-7

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130828/f6cbe75c/attachment.sig>

More information about the Distutils-SIG mailing list