[New-bugs-announce] [issue17121] SSH upload for distutils

Christian Heimes report at bugs.python.org
Mon Feb 4 11:03:42 CET 2013

New submission from Christian Heimes:

In the light of Ruby's recent issues and man in the middle attacks on PyPI (http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/) we should include secure uploads in distutils.

Martin has created a SSH uploader for distutils http://pypi.python.org/pypi/pypissh. I suggest that we include the feature in the next security update for Python 2.6 to 3.3. I'm well aware that this beats the "no new feature" clause but in my opinion "security beats purity".

What do you think?

assignee: eric.araujo
components: Distutils
messages: 181313
nosy: christian.heimes, eric.araujo, gregory.p.smith, gvanrossum, loewis, pitrou, tarek
priority: critical
severity: normal
stage: needs patch
status: open
title: SSH upload for distutils
type: security
versions: Python 2.6, Python 2.7, Python 3.2, Python 3.3, Python 3.4

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list