[Distutils] New Documentation URL for pip and virtualenv
Donald Stufft
donald at stufft.io
Mon May 5 21:08:40 CEST 2014
On May 5, 2014, at 2:38 PM, Paul Moore <p.f.moore at gmail.com> wrote:
> On 5 May 2014 17:58, Donald Stufft <donald at stufft.io> wrote:
>> pip and virtualenv have moved their documentation away from
>> http://www.pip-installer.org/ and http://www.virtualenv.org/ to https://pip.pypa.io/
>> and https://virtualenv.pypa.io/. The new locations are still backed by
>> ReadTheDocs however they are fronted by Fastly and have enforced TLS.
>
> Purely out of curiosity and an interest in reducing my level of
> ignorance over security, what's the point in having documentation
> behind HTTPS? Is there a security exposure in reading docs that is
> mitigated by using HTTPS? Or is it just a matter of consistency and a
> principle of always using a secure protocol?
>
> Paul
So a few reasons:
* We link to the get-pip.py from the documentation, now that file is hosted via
HTTPS, however it would be trivial for someone to MITM the documentation and
point to something hosted elsewhere that was malicious.
* We list some commands to run, some of which are examples. It would be pretty
shitty if someone MITM'd and replaced those with a command that installs
a malicious package and people blindly copy/pasted them.
* Consistency.
* There's no good reason not to do it!
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140505/92d2b879/attachment.sig>
More information about the Distutils-SIG
mailing list