This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2011年06月18日 09:33 by techtonik, last changed 2022年04月11日 14:57 by admin. This issue is now closed.
| Messages (7) | |||
|---|---|---|---|
| msg138578 - (view) | Author: anatoly techtonik (techtonik) | Date: 2011年06月18日 09:33 | |
Please add this as a child of master issue12357. When default protocol to upload to PyPI is switched to HTTPS in issue12226, the next step is to validate the certificate. Certificate validation requires that we will either: 1. distribute root CACert certificate with Python (for some reason it is not included/trusted on Windows platform) 2. acquire certificate for PyPI servers from party trusted by default, so that system certificates can be used for validation |
|||
| msg138599 - (view) | Author: Éric Araujo (eric.araujo) * (Python committer) | Date: 2011年06月18日 20:54 | |
I’m going to close this report as a duplicate. The discussion about validation is already started on the other report, and I don’t want to commit first one patch with false security (use HTTPS), then a patch to validate: they should be one patch IMO. |
|||
| msg138604 - (view) | Author: anatoly techtonik (techtonik) | Date: 2011年06月18日 21:30 | |
That's two separate tickets. I intentionally wasted my time opening several of them to avoid making issues overcomplicated, so that they are manageable for review and won't slip from the next release. Ping me in GTalk if you want to discuss it. |
|||
| msg138605 - (view) | Author: anatoly techtonik (techtonik) | Date: 2011年06月18日 21:32 | |
Mind you that HTTPS access without certificate validation is not a false security - even without certificate it provides a good protection from passive attacks. |
|||
| msg138606 - (view) | Author: Éric Araujo (eric.araujo) * (Python committer) | Date: 2011年06月18日 21:33 | |
I don’t see why you think we need two tickets. I will not commit the partial patch from the other bug, and I don’t think it’s overcomplicated to think about "use HTTPS with certificate checking". About GTalk/Jabber: I prefer to discuss openly on this bug tracker or mailing lists. |
|||
| msg138611 - (view) | Author: anatoly techtonik (techtonik) | Date: 2011年06月18日 21:53 | |
If tickets are small and easy, they can be committed faster. I wouldn't open another one if this small patch was committed in time. As I already explained, adding certificate check to HTTPS is a further security enhancement, and here is the report for it to not forget and discuss further security issues. It is not 'incomplete'. |
|||
| msg138628 - (view) | Author: Stefan Krah (skrah) * (Python committer) | Date: 2011年06月19日 11:58 | |
I agree with Éric: This is a duplicate. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:57:18 | admin | set | github: 56567 |
| 2011年06月19日 11:58:43 | skrah | set | status: open -> closed nosy: + skrah messages: + msg138628 resolution: duplicate |
| 2011年06月18日 21:53:01 | techtonik | set | messages: + msg138611 |
| 2011年06月18日 21:33:27 | eric.araujo | set | messages: + msg138606 |
| 2011年06月18日 21:32:56 | techtonik | set | messages: + msg138605 |
| 2011年06月18日 21:30:50 | techtonik | set | status: closed -> open resolution: duplicate -> (no value) messages: + msg138604 |
| 2011年06月18日 20:54:59 | eric.araujo | unlink | issue12357 dependencies |
| 2011年06月18日 20:54:25 | eric.araujo | set | status: open -> closed resolution: duplicate messages: + msg138599 superseder: use HTTPS by default for uploading packages to pypi stage: resolved |
| 2011年06月18日 20:52:38 | eric.araujo | link | issue12357 dependencies |
| 2011年06月18日 09:34:19 | techtonik | set | assignee: tarek nosy: + eric.araujo, alexis, tarek components: + Distutils, Distutils2 versions: + Python 3.1, Python 2.7, Python 3.2 |
| 2011年06月18日 09:33:59 | techtonik | create | |