[issue12226] use secured channel for uploading packages to pypi

anatoly techtonik report at bugs.python.org
Mon Jun 6 10:04:15 CEST 2011

anatoly techtonik <techtonik at gmail.com> added the comment:

On Sat, Jun 4, 2011 at 5:33 PM, Éric Araujo <report at bugs.python.org> wrote:>
>> I think there should be a warning that the connection is
>> unauthenticated (i.e. not secure). Users tend to be upset if they see
>> 'https' and later find out that no certificates were verified.
> Thanks Stephan, that was on my mind but I forgot it.  I’m -1 on using https if no validation is performed.

It will be more professional if you could also explain why. Thanks.

>> I believe that's a very personal judgement.
> Not really; it’s an explanation of our release rules, exposed by one of the older developers.

Release rules should be clear enough not to require explanation.

>> For me exposing core Python development accounts is a fundamental
>> flaw.

> What is a core Python development account?

'core' is not the best word here, so it needs an explanation. Any
account on PyPI that uploads packages used for in enterprise
deployment schemes imposes a danger. Potential target are identified
using 'popularity package/developer activity' rating to reduce the
risk. These are the primary targets for an attack, which I called
'core'. 'primary' would be a better name probably.


Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list