New submission from anatoly techtonik <techto...@gmail.com>: Before the next version is released, I'd like to push this one line modification to reduce the risk of sniffing Python development password when people upload packages to PyPI by using https:// communication channel by default.
Distutils doesn't validate PyPI server certificate, so this change doesn't prevent from MITM attacks, but at least it makes package submissions over wireless channels and public networks safer. Taking into account that people still release packages for Python 2.5+ (AppEngine), I'd like to see this fix backported to at least Python 2.6 ---------- assignee: tarek components: Distutils, Distutils2 files: pypy.https.patch keywords: patch messages: 137366 nosy: alexis, eric.araujo, tarek, techtonik priority: normal severity: normal status: open title: use secured channel for uploading packages to pypi type: security versions: Python 2.6, Python 2.7, Python 3.1 Added file: http://bugs.python.org/file22208/pypy.https.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue12226> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
