[Distutils] pypi.python Error 403 Forbidden

Nick Coghlan ncoghlan at gmail.com
Thu Feb 15 19:49:24 EST 2018

On 16 February 2018 at 07:20, Heiko L. <hlaz at hs-lausitz.de> wrote:
> A user should be able to decide for himself whether to use HTTP or HTTPS.

No, as without any other form of package or metadata signing, we're
currently relying heavily on transport layer security to ensure that
the information that the server sends is the information that the end
user receives.

Any access over HTTP can be transparently intercepted and altered to
include a malicious payload (and there were a number of in-the-wild
proofs-of-concept for this when using shared wireless networks before
the service switched to HTTPS only).


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list