[Python-Dev] Sniffing passwords from PyPI using insecure connection

Barry Warsaw barry at python.org
Wed Jun 1 13:08:18 CEST 2011

On Jun 01, 2011, at 02:33 AM, Terry Reedy wrote:

>On 6/1/2011 1:37 AM, "Martin v. Löwis" wrote:
>>> The requested one character change is
>>> -    DEFAULT_REPOSITORY = 'http://pypi.python.org/pypi'
>>> +    DEFAULT_REPOSITORY = 'https://pypi.python.org/pypi'
>>> If Tarek (or perhaps Eric) agree that it is appropriate and otherwise
>>> innocuous, then Martin and Barry can decide whether to include in 2.5/2.
>> I don't plan any further 2.5 releases, so unless a critical security
>> issue pops up, 2.5.6 will have been the last release.
>OK. I removed 2.5 from all open issues, closing a few. You could remove 2.5
>from the displayed version list so that people cannot add it back or to new

I followed up on the tracker.  I'm +0 on adding this to 2.6, but not until
after the 2.6.7 release on Friday.

How well has this change been tested?  Are there people for whom this could
break things?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-dev/attachments/20110601/0c40d655/attachment.pgp>

More information about the Python-Dev mailing list