[Python-Dev] Sniffing passwords from PyPI using insecure connection
Barry Warsaw
barry at python.org
Wed Jun 1 13:08:18 CEST 2011
On Jun 01, 2011, at 02:33 AM, Terry Reedy wrote:
>On 6/1/2011 1:37 AM, "Martin v. Löwis" wrote:
>>> The requested one character change is
>>> - DEFAULT_REPOSITORY = 'http://pypi.python.org/pypi'
>>> + DEFAULT_REPOSITORY = 'https://pypi.python.org/pypi'
>>>
>>> If Tarek (or perhaps Eric) agree that it is appropriate and otherwise
>>> innocuous, then Martin and Barry can decide whether to include in 2.5/2.
>6.
>>
>> I don't plan any further 2.5 releases, so unless a critical security
>> issue pops up, 2.5.6 will have been the last release.
>
>OK. I removed 2.5 from all open issues, closing a few. You could remove 2.5
>from the displayed version list so that people cannot add it back or to new
>issues.
I followed up on the tracker. I'm +0 on adding this to 2.6, but not until
after the 2.6.7 release on Friday.
How well has this change been tested? Are there people for whom this could
break things?
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-dev/attachments/20110601/0c40d655/attachment.pgp>
More information about the Python-Dev
mailing list