[Distutils] HTTPS and certificate check update for distribute ?

[PJ Eby]

On Thu, May 2, 2013 at 1:41 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> On 25.04.2013 16:42, M.-A. Lemburg wrote:
>> The latest pip supports HTTPS URLs and certificate checks
>> (according to the change log).
>>
>> Will there be a release of distribute that implements the
>> same changes ?
>>
>> The current 0.6.36 still defaults to the HTTP PyPI address
>> and doesn't do certificate checks.

FWIW, I've just checked in the first phase of my SSL implementation
for setuptools, to the repository that Jason is doing merges from.
The current implementation silently uses system-wide root certs from
the Windows registry or from *nixes that have a well-known root bundle
location.  (But won't find anything on OS X by default).  It also
doesn't have any command-line options yet to explicitly select the
certs used or to control SSL verification.  But it does offer the
ability to "easy_install setuptools[ssl]" to download verified copies
of all the dependencies needed to get SSL support in earlier Pythons,
including win32 binaries where applicable, without needing anything
but the original setuptools distribution needing to have been
downloaded manually via SSL.

There is still more that needs to be done besides command-line
options, warnings, and docs; providing default root certs for OS X,
for example.  I've got a couple different ideas on that, from bundling
the StartCom root cert that python.org uses, to creating a separate
ca_bundle distribution that contains the files.   There's another
interesting gotcha with OS X certs, which is that the
platform-provided openssl may check its built-in cert store in
addition to what you give it explicitly, which could be a problem.

In short: providing practical, cross-platform,
cross-wide-array-of-python-versions SSL support is *hard*.  I'm not
too surprised you haven't heard from anybody yet.  ;-)