[Python-Dev] Sniffing passwords from PyPI using insecure connection
Terry Reedy
tjreedy at udel.edu
Tue May 31 21:05:29 CEST 2011
On 5/31/2011 1:04 PM, anatoly techtonik wrote:
> Hi,
>
> I'd like to escalate http://bugs.python.org/issue12226 : 'use secured
> channel for uploading packages to pypi' to be shipped with next Python
> 2.6+
> This will prevent pydotorg password sniffing when submitting packages
> through public networks (such as hotels).
The requested one character change is
- DEFAULT_REPOSITORY = 'http://pypi.python.org/pypi'
+ DEFAULT_REPOSITORY = 'https://pypi.python.org/pypi'
If Tarek (or perhaps Eric) agree that it is appropriate and otherwise
innocuous, then Martin and Barry can decide whether to include in 2.5/2.6.
Terry Jan Reedy
More information about the Python-Dev
mailing list