[New-bugs-announce] [issue12226] use secured channel for uploading packages to pypi
anatoly techtonik
report at bugs.python.org
Tue May 31 18:51:05 CEST 2011
New submission from anatoly techtonik <techtonik at gmail.com>:
Before the next version is released, I'd like to push this one line modification to reduce the risk of sniffing Python development password when people upload packages to PyPI by using https:// communication channel by default.
Distutils doesn't validate PyPI server certificate, so this change doesn't prevent from MITM attacks, but at least it makes package submissions over wireless channels and public networks safer.
Taking into account that people still release packages for Python 2.5+ (AppEngine), I'd like to see this fix backported to at least Python 2.6
----------
assignee: tarek
components: Distutils, Distutils2
files: pypy.https.patch
keywords: patch
messages: 137366
nosy: alexis, eric.araujo, tarek, techtonik
priority: normal
severity: normal
status: open
title: use secured channel for uploading packages to pypi
type: security
versions: Python 2.6, Python 2.7, Python 3.1
Added file: http://bugs.python.org/file22208/pypy.https.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue12226>
_______________________________________
More information about the New-bugs-announce
mailing list