[issue17121] SSH upload for distutils

Christian Heimes added the comment: I retract my proposal. We don't need ssh upload any more. -- resolution: -> wont fix stage: needs patch -> resolved status: open -> closed ___ Python tracker ___

[issue17121] SSH upload for distutils

Changes by Jakub Wilk : -- nosy: +jwilk ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/

[issue17121] SSH upload for distutils

Éric Araujo added the comment: SSH upload is an acceptable new feature for Python 3.4, if it can be done without breaking compat or changing too many internals. (The distutils feature freeze was effectively lifted at PyCon; Nick Coghlan also has a PEP in the plans to discuss how to update dist

[issue17121] SSH upload for distutils

Tom Prince added the comment: > "this package performs heavy monkey-patching of distutils to make it use the system's ssh command." > I don't think this bodes well for immediate inclusion, especially in a bugfix release. It only needs monkey-patching to convince distutils to connect over ssh. Th

[issue17121] SSH upload for distutils

Jesús Cea Avión added the comment: Python 2.6 can get remote certificate and compute a hash of it, and compare that hash with a known fingerprint. This is what mercurial does. No proper certificate chain, but secure as far as the PYPI certificate doesn't change. This would be not a "final" so

[issue17121] SSH upload for distutils

Changes by Jesús Cea Avión : -- nosy: +jcea ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue17121] SSH upload for distutils

Changes by Éric Araujo : -- versions: -Python 2.6, Python 2.7, Python 3.2, Python 3.3 ___ Python tracker ___ ___ Python-bugs-list mai

[issue17121] SSH upload for distutils

Changes by Gregory P. Smith : -- nosy: -gregory.p.smith ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http:/

[issue17121] SSH upload for distutils

Benjamin Peterson added the comment: Too much of a new feature IMO. -- priority: release blocker -> normal ___ Python tracker ___ ___

[issue17121] SSH upload for distutils

Christian Heimes added the comment: Perhaps a tiny bit. ;) My brain is in paranoid mode ... -- ___ Python tracker ___ ___ Python-bugs-

[issue17121] SSH upload for distutils

Antoine Pitrou added the comment: Yes, and why do you think this should be addressed in the next bugfix release? If HTTPS is so broken that you can't upload important data with it, then perhaps patching Python is not the most important thing to do? In other words: don't you think you're overre

[issue17121] SSH upload for distutils

Christian Heimes added the comment: Benjamin requested that I should set the priority of all tickets to 'release blocker' that needs be be addressed, discussed and possibly fixed for the upcoming releases. -- ___ Python tracker

[issue17121] SSH upload for distutils

Antoine Pitrou added the comment: Wow. Can we calm down? Setting many feature requests as release blockers certainly won't magically solve issues. -- ___ Python tracker ___

[issue17121] SSH upload for distutils

Changes by Christian Heimes : -- nosy: +barry, benjamin.peterson, georg.brandl, larry priority: critical -> release blocker ___ Python tracker ___ ___

[issue17121] SSH upload for distutils

Christian Heimes added the comment: And there is OCSP. I'm getting sec_error_ocsp_invalid_signing_cert for https://pypi.python.org/pypi. I haven't been able to do a successful HTTPS request from Firefox to PyPI all day. -- ___ Python tracker

[issue17121] SSH upload for distutils

Donald Stufft added the comment: CACert is not *proper* irregardless of what that projects goals are. It is not trusted by default therefore it does not provide the same level of security in the browser (Very few people will bother to look at the difference between a CACert and a self signed c

[issue17121] SSH upload for distutils

Antoine Pitrou added the comment: PyPI *has* a proper cert, it's just not in the default trusted certs of most distributions and browsers (i.e., it uses CACert). It would be easy to bundle CACert's root cert with distutils, if we wanted to. -- ___ P

[issue17121] SSH upload for distutils

Donald Stufft added the comment: Well Infrastructure *should* get a proper cert anyways else MITM is trivial via the web interface anyways. -- ___ Python tracker ___ ___

[issue17121] SSH upload for distutils

Christian Heimes added the comment: Infrastructure needs to get a proper SSL cert first and we have to ship the CA's public key so we can verify the cert everywhere. -- ___ Python tracker _

[issue17121] SSH upload for distutils

Donald Stufft added the comment: +1 for back porting SSL validation even if it's a private to distutils backport. pypissh requires a SSH Binary which isn't all that great on Windows where SSH is not typically installed by default. -- nosy: +dstufft

[issue17121] SSH upload for distutils

Hynek Schlawack added the comment: I would strongly prefer to back port certificate validation instead. Is there anything *practical* that makes it hard/impossible? If we want to keep features stable, we can add it privately so it’s only usable by distutils. The susceptibility to (easy!) MITM

[issue17121] SSH upload for distutils

Christian Heimes added the comment: Python 2.6 to 3.1 don't do HTTPS server cert validation. This leaves the upload process open to MITM attacks ... -- ___ Python tracker ___ __

[issue17121] SSH upload for distutils

Antoine Pitrou added the comment: > Martin has created a SSH uploader for distutils > http://pypi.python.org/pypi/pypissh. I suggest that we include the > feature in the next security update for Python 2.6 to 3.3. I'm well > aware that this beats the "no new feature" clause but in my opinion > "s

[issue17121] SSH upload for distutils

New submission from Christian Heimes: In the light of Ruby's recent issues and man in the middle attacks on PyPI (http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/) we should include secure uploads in distutils. Martin has created a SSH uploader for