[Catalog-sig] HTTPS now promoted on PyPI
PJ Eby
pje at telecommunity.com
Tue Feb 19 23:05:00 CET 2013
On Tue, Feb 19, 2013 at 12:13 AM, Richard Jones <r1chardj0n3s at gmail.com> wrote:
> 2. incorporate some monkey-patching into distribute and setuptools and
> promote those,
This is actually on my radar to do for setuptools, as soon as the dust
has settled enough on what it is the monkey-patching needs to *do*.
;-)
So far I know I'll be changing the default URLs and adding cert
verification, but I haven't looked at the register or upload stuff
yet. The part where people are saying https isn't working right now
is a big red flag for me, however; I don't want to push out an update
that'll just make the load situation worse.
In the meantime I'll be investigating and testing, of course. (One
annoying issue presently under investigation: determining whether
including a cacert bundle means setuptools' license terms will have to
change. Pip used LGPL, which appears to be compatible with the MPL.
I personally don't think certs should be copyrightable in the first
place, but some jurisdictions have compilation copyright of otherwise
non-copyrightable individual elements. Presumably, Mozilla's not
going to be a jerk about things, but... bleah. Licensing issues
*suck*.)
More information about the Catalog-SIG
mailing list