[issue12226] use secured channel for uploading packages to pypi

Antoine Pitrou added the comment: > If you make an HTTPS connection without checking the certificate, what > security does it add? Well, it does prevent the most trivial class of attacks (sniffing). That said, Python has support for certificate checking, especially in 3.2+, so you should use

[issue12226] use secured channel for uploading packages to pypi

Fred L. Drake, Jr. added the comment: On Mon, Jun 6, 2011 at 11:50 AM, Éric Araujo wrote: > If you make an HTTPS connection without checking the certificate, what > security does it add? I'm in favor of cert checking, myself. -- ___ Python tracker

[issue12226] use secured channel for uploading packages to pypi

Éric Araujo added the comment: >> Thanks Stephan, that was on my mind but I forgot it. I’m -1 on >> using https if no validation is performed. > It will be more professional if you could also explain why. If you make an HTTPS connection without checking the certificate, what security does it

[issue12226] use secured channel for uploading packages to pypi

anatoly techtonik added the comment: On Sat, Jun 4, 2011 at 5:33 PM, Éric Araujo wrote:> >> I think there should be a warning that the connection is >> unauthenticated (i.e. not secure). Users tend to be upset if they see >> 'https' and later find out that no certificates were verified. > > Tha

[issue12226] use secured channel for uploading packages to pypi

Éric Araujo added the comment: > I think there should be a warning that the connection is > unauthenticated (i.e. not secure). Users tend to be upset if they see > 'https' and later find out that no certificates were verified. Thanks Stephan, that was on my mind but I forgot it. I’m -1 on usin

[issue12226] use secured channel for uploading packages to pypi

anatoly techtonik added the comment: I believe that's a very personal judgement. For me exposing core Python development accounts is a fundamental flaw. The more accounts are collected, the more real are attacks through PyPI package injection. -- _

[issue12226] use secured channel for uploading packages to pypi

Martin v. Löwis added the comment: > I can fill separate bug for packaging, server certificate validation > and support for non-SSL builds of python (for which there is > workaround with upload -r option that I've just discovered), > but it is an additional delay and the only reason I invested

[issue12226] use secured channel for uploading packages to pypi

anatoly techtonik added the comment: Sorry for the delay. I've just uploaded http://pypi.python.org/pypi/ctypesgen/0.r125 from Ubuntu using python2.6 with patched distutils module to https://pypi.python.org/pypi and can confirm it works without problems on Linux. So I can guarantee there won

[issue12226] use secured channel for uploading packages to pypi

Martin v. Löwis added the comment: If users use a browser to do secure uploading, there is no need to publish the certificate. It is signed by a trusted CA (cacert), so you just need to make sure your browser knows about the cacert certificate. --

[issue12226] use secured channel for uploading packages to pypi

Stefan Krah added the comment: I think there should be a warning that the connection is unauthenticated (i.e. not secure). Users tend to be upset if they see 'https' and later find out that no certificates were verified. A reasonably secure alternative is to publish the pypi server certificate

[issue12226] use secured channel for uploading packages to pypi

Éric Araujo added the comment: Patch needs to update the default server in packaging too. -- ___ Python tracker ___ ___ Python-bugs-l

[issue12226] use secured channel for uploading packages to pypi

Changes by Jakub Wilk : -- nosy: +jwilk ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/

[issue12226] use secured channel for uploading packages to pypi

Tarek Ziadé added the comment: On Wed, Jun 1, 2011 at 5:17 PM, Fred Drake wrote: > On Wed, Jun 1, 2011 at 11:14 AM, anatoly techtonik > wrote: >> Adding catalog-sig to CC. I can guarantee this for Windows. I'll be >> near Linux box tomorrow and will try upload to PyPI from there. It >> still

[issue12226] use secured channel for uploading packages to pypi

Fred L. Drake, Jr. added the comment: On Wed, Jun 1, 2011 at 11:14 AM, anatoly techtonik wrote: > Adding catalog-sig to CC. I can guarantee this for Windows. I'll be > near Linux box tomorrow and will try upload to PyPI from there. It > still will be more authoritative if more than one person c

[issue12226] use secured channel for uploading packages to pypi

anatoly techtonik added the comment: On Wed, Jun 1, 2011 at 2:06 PM, Barry A. Warsaw wrote: > > Barry A. Warsaw added the comment: > > Given that 2.6.7 is rc2 with a final release scheduled in 2 days, I don't > want to apply this to 2.6 right now.  Can you guarantee this won't regress > for

[issue12226] use secured channel for uploading packages to pypi

anatoly techtonik added the comment: On Wed, Jun 1, 2011 at 10:30 AM, Stefan Krah wrote: > >> Distutils doesn't validate PyPI server certificate, so this change >> doesn't prevent from MITM attacks, but at least it makes package >> submissions over wireless channels and public networks safer. >

[issue12226] use secured channel for uploading packages to pypi

Barry A. Warsaw added the comment: Given that 2.6.7 is rc2 with a final release scheduled in 2 days, I don't want to apply this to 2.6 right now. Can you guarantee this won't regress for anybody? If so, then I'm also +0 for 2.6 after the 2.6.7 release. -- __

[issue12226] use secured channel for uploading packages to pypi

Stefan Krah added the comment: > Distutils doesn't validate PyPI server certificate, so this change > doesn't prevent from MITM attacks, but at least it makes package > submissions over wireless channels and public networks safer. Is that so? It's been a while, but I think e.g. ettercap is a hi

[issue12226] use secured channel for uploading packages to pypi

Martin v. Löwis added the comment: I'm +0 on changing 2.6. Many people use setuptools or distribute, so the impact of this change was higher if those were modified instead of modifying 2.6 - in particular since few people are expected to pick up these security releases, anyway. -- _

[issue12226] use secured channel for uploading packages to pypi

anatoly techtonik added the comment: Yes. I've just uploaded http://pypi.python.org/pypi/review/r749 through https://pypi.python.org/pypi -- ___ Python tracker ___

[issue12226] use secured channel for uploading packages to pypi

Tarek Ziadé added the comment: Have you tried registering/uploading stuff through https ? if it's working as is I am +1 for this change in the next 2.7.x. For 2.6 don't know if it's worth a security patch. Martin, Barry, any opinion ? -- nosy: +barry, loewis

[issue12226] use secured channel for uploading packages to pypi

Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever versions: +Python 3.2, Python 3.3 ___ Python tracker ___ ___ Pytho

[issue12226] use secured channel for uploading packages to pypi

Changes by Brian Curtin : -- nosy: -brian.curtin ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.p

[issue12226] use secured channel for uploading packages to pypi

anatoly techtonik added the comment: The distutils version that exposes this vulnerability is shipped with Python, that's why it is here. -- ___ Python tracker ___

[issue12226] use secured channel for uploading packages to pypi

Brian Curtin added the comment: Oops, nevermind that, thought this was suggesting a change to PyPI itself, not distutils. -- nosy: +brian.curtin ___ Python tracker ___

[issue12226] use secured channel for uploading packages to pypi

Changes by Brian Curtin : -- nosy: -brian.curtin ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.p

[issue12226] use secured channel for uploading packages to pypi

Brian Curtin added the comment: This should probably be discussed on catalog-SIG, not the CPython bug tracker. -- nosy: +brian.curtin ___ Python tracker ___

[issue12226] use secured channel for uploading packages to pypi

New submission from anatoly techtonik : Before the next version is released, I'd like to push this one line modification to reduce the risk of sniffing Python development password when people upload packages to PyPI by using https:// communication channel by default. Distutils doesn't validat