[Catalog-sig] SSL for PyPI

[William McVey]

Sorry if this is the wrong group (if it is, please redirect me to the
proper list), but I'd like suggest  that PyPI  be available via SSL
protection.  Obviously, I'd be willing to help with this effort as
well. It occurred to me as I was at PyCon 'pip install'ing away that
there was a real possibility of man-in-the-middle manipulations of
both the content of the packages downloaded as well as the actual
resolution of where packages were located (especially over an open
public wifi network). I certainly understand that turning off the
cleartext PyPI interface is not something that could be considered for
a very-long time, but it'd be nice if  those individuals who were
concerned about the potential for attack had an option to pull PyPI
info over a protected channel. And even if people weren't concerned,
if it were perhaps the default option in their environment, their
security posture could be improved.

>From a technology standpoint, it should be straightforward to get an
SSL certificate for pypi.python.org, and then configure the web server
to provide the exact same content as the exising
http://pypi.python.org site. From the client side, I'd suggest an
extension/patch to pip (and easy_install) to use the SSL protected
version of PyPI when available. Obviously doing  certificate validity
on the client side would require either python 2.6 or third party
packages, but even a warning announcing that the updates/installs were
happening over cleartext network would make people aware.

  -- William