[Distutils] HTTPS and certificate check update for distribute ?
Donald Stufft
donald at stufft.io
Sun May 5 02:01:13 CEST 2013
On May 4, 2013, at 6:28 PM, PJ Eby <pje at telecommunity.com> wrote:
> On Thu, May 2, 2013 at 1:41 PM, M.-A. Lemburg <mal at egenix.com> wrote:
>> On 25.04.2013 16:42, M.-A. Lemburg wrote:
>>> The latest pip supports HTTPS URLs and certificate checks
>>> (according to the change log).
>>>
>>> Will there be a release of distribute that implements the
>>> same changes ?
>>>
>>> The current 0.6.36 still defaults to the HTTP PyPI address
>>> and doesn't do certificate checks.
>
> FWIW, I've just checked in the first phase of my SSL implementation
> for setuptools, to the repository that Jason is doing merges from.
> The current implementation silently uses system-wide root certs from
> the Windows registry or from *nixes that have a well-known root bundle
> location. (But won't find anything on OS X by default). It also
> doesn't have any command-line options yet to explicitly select the
> certs used or to control SSL verification. But it does offer the
> ability to "easy_install setuptools[ssl]" to download verified copies
> of all the dependencies needed to get SSL support in earlier Pythons,
> including win32 binaries where applicable, without needing anything
> but the original setuptools distribution needing to have been
> downloaded manually via SSL.
>
> There is still more that needs to be done besides command-line
> options, warnings, and docs; providing default root certs for OS X,
> for example. I've got a couple different ideas on that, from bundling
> the StartCom root cert that python.org uses, to creating a separate
> ca_bundle distribution that contains the files. There's another
> interesting gotcha with OS X certs, which is that the
> platform-provided openssl may check its built-in cert store in
> addition to what you give it explicitly, which could be a problem.
>
> In short: providing practical, cross-platform,
> cross-wide-array-of-python-versions SSL support is *hard*. I'm not
> too surprised you haven't heard from anybody yet. ;-)
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
The easiest way is to just bundle the mozilla certs. They do all the work of keeping it up to date and validating them.
If you're only supporting PYthon 2.6+ you can also just bundle requests and let it's cert stuff work. I think this is the ideal way if you're 2.6+ because it centralizes the codebase for dealing with SSL.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130504/ef100a30/attachment.pgp>
More information about the Distutils-SIG
mailing list