[Python-Dev] Sniffing passwords from PyPI using insecure connection

Terry Reedy tjreedy at udel.edu
Tue May 31 21:05:29 CEST 2011

On 5/31/2011 1:04 PM, anatoly techtonik wrote:
> Hi,
> I'd like to escalate http://bugs.python.org/issue12226 : 'use secured
> channel for uploading packages to pypi' to be shipped with next Python
> 2.6+
> This will prevent pydotorg password sniffing when submitting packages
> through public networks (such as hotels).

The requested one character change is
-    DEFAULT_REPOSITORY = 'http://pypi.python.org/pypi'
+    DEFAULT_REPOSITORY = 'https://pypi.python.org/pypi'

If Tarek (or perhaps Eric) agree that it is appropriate and otherwise 
innocuous, then Martin and Barry can decide whether to include in 2.5/2.6.

Terry Jan Reedy

More information about the Python-Dev mailing list