[Catalog-sig] PyPI and setuptools
Giovanni Bajo
rasky at develer.com
Sun Feb 10 01:54:07 CET 2013
Il giorno 10/feb/2013, alle ore 00:43, M.-A. Lemburg <mal at egenix.com> ha scritto:
> On 10.02.2013 00:13, Stephen Thorne wrote:
>> Hello,
>>
>> One of my concerns with the recent pip dramas that have seen some excellent
>> and timely action from catalog-sig and others, is that 'setuptools' is
>> still widely distributed and used instead of distribute/pip.
>
> Just as data point: distribute isn't using HTTPS either and the
> distribute bootstrap site doesn't work with HTTPS:
>
> http://python-distribute.org/
>
> (https://python-distribute.org/ gives
> "Error code: ssl_error_rx_record_too_long" in Firefox)
>
> By redirecting the PyPI main and mirror sites from HTTP to HTTPS
> you can "upgrade" older installations.
Alas, this redirection wouldn't fix the main issue, because a MITM can still proxy the connection, swallow the redirection, and insert a malware in the downloaded package. The only way to really fix it is to patch all PyPI clients, including distribute.
> An alternative approach would be to make people more aware of
> the possibility to configure the PyPI site URL in a distutils
> config file (even globally) and changing the URL from HTTP
> to HTTPS there:
>
> * distutils config files:
>
> http://docs.python.org/2/install/index.html#inst-config-files
>
> * setuptools:
>
> http://peak.telecommunity.com/DevCenter/EasyInstall#configuration-files
> http://peak.telecommunity.com/DevCenter/EasyInstall#command-line-options
> (the option is called --index-url)
>
> * distribute:
>
> http://pythonhosted.org/distribute/easy_install.html#configuration-files
> http://pythonhosted.org/distribute/easy_install.html#reference-manual
> (the option is called --index-url)
The problem with this approach is that Python standard library does not validate SSL certificates. So even if you force a urllib-based tool to access PyPI through https, it doesn't help at all in case of a MITM attack.
--
Giovanni Bajo :: rasky at develer.com
Develer S.r.l. :: http://www.develer.com
My Blog: http://giovanni.bajo.it
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4346 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130210/8df937ca/attachment.bin>
More information about the Catalog-SIG
mailing list