[Catalog-sig] PyPI and setuptools
PJ Eby
pje at telecommunity.com
Tue Feb 12 19:36:05 CET 2013
On Sat, Feb 9, 2013 at 7:54 PM, Giovanni Bajo <rasky at develer.com> wrote:
> The problem with this approach is that Python standard library does not validate SSL certificates. So even if you force a urllib-based tool to access PyPI through https, it doesn't help at all in case of a MITM attack.
FWIW, if someone provides a suitable *cross-platform* urllib
monkeypatch that does certificate validation, even if it only
validates PyPI's certificate, I'll add it to setuptools and issue a
patch release that uses it, and has its default index URL updated to
the https version.
More information about the Catalog-SIG
mailing list