[issue12226] use secured channel for uploading packages to pypi
report at bugs.python.org
Mon Jun 6 10:04:15 CEST 2011
anatoly techtonik <techtonik at gmail.com> added the comment:
On Sat, Jun 4, 2011 at 5:33 PM, Éric Araujo <report at bugs.python.org> wrote:>
>> I think there should be a warning that the connection is
>> unauthenticated (i.e. not secure). Users tend to be upset if they see
>> 'https' and later find out that no certificates were verified.
> Thanks Stephan, that was on my mind but I forgot it. I’m -1 on using https if no validation is performed.
It will be more professional if you could also explain why. Thanks.
>> I believe that's a very personal judgement.
> Not really; it’s an explanation of our release rules, exposed by one of the older developers.
Release rules should be clear enough not to require explanation.
>> For me exposing core Python development accounts is a fundamental
> What is a core Python development account?
'core' is not the best word here, so it needs an explanation. Any
account on PyPI that uploads packages used for in enterprise
deployment schemes imposes a danger. Potential target are identified
using 'popularity package/developer activity' rating to reduce the
risk. These are the primary targets for an attack, which I called
'core'. 'primary' would be a better name probably.
Python tracker <report at bugs.python.org>
More information about the Python-bugs-list