Hi,
the message is slightly off-topic but it might be interesting for pip,
setuptools and other developers that are working on HTTPS for PyPI.
I while ago I found C++ example code that shows how to dump CA and CRL
certs from Windows's system cert store. The system cert store contains
the
Am 21.03.2013 13:58, schrieb M.-A. Lemburg:
Why not simply use the Firefox certs ?
We started adding these to our pyOpenSSL distribution with the last release:
https://cms.egenix.com/products/python/pyOpenSSL/doc/#Module_OpenSSL.ca_bundle
Sure, that's another viable option. But IIRC some
Am 21.03.2013 16:29, schrieb PJ Eby:
Very nice! I definitely would like to use this for setuptools, but I
actually want it for versions 2.3-2.5, which can't use requests or
urllib3 or anything like that. So I hacked on the code a bit and got
it to work (or at least got the __main__ stub to
Am 21.03.2013 15:12, schrieb Antoine Pitrou:
This is nice, but can you follow up on the bug tracker? It would be much
more appropriate than catalog-sig.
Also you shouldn't need to encode the certs into PEM format. AFAICT,
SSL_CTX_get_cert_store(), d2i_X509_AUX() and X509_STORE_add_cert()
Am 09.03.2013 02:06, schrieb Giovanni Bajo:
It's a good practice to avoid crypto algorithms whose foundations are known
to be broken. This is one of those cases. If we ever touch code that uses
MD5, we should drop it immediately. There is no reason to keep it and wait
for someone to release
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Am 08.03.2013 22:33, schrieb Donald Stufft:
On Mar 8, 2013, at 4:28 PM, M.-A. Lemburg m...@egenix.com
wrote:
BTW: If we go with the CDN caching model for external files,
we'd pull the download page links directly on the /simple/ index
page -
Am 08.03.2013 22:43, schrieb Daniel Holth:
Check out https://blake2.net/ ; it is both faster and more secure than
md5. md5 does have to go, no matter how secure it is in this
particular application. SHA2 is the only choice that doesn't require a
long explanation. When this came up a little
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Am 08.03.2013 23:03, schrieb Donald Stufft:
Sha-1 is broken. Sha-2 or better is the only real acceptable one
in the stdlib.
Well, then SHA-384 it is.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with
Am 20.02.2013 21:12, schrieb M.-A. Lemburg:
On 20.02.2013 21:03, Donald Stufft wrote:
On Wednesday, February 20, 2013 at 3:02 PM, Daniel Holth wrote:
You know how to do S/MIME; how much harder would it be to use X.509
signatures as are supported with openssl and bundled GUI cert managers on
Am 11.02.2013 13:05, schrieb Giovanni Bajo:
This is harder to fix. Christian's main concern is that he doesn't trust me
and my proposed solution because he didn't see it elsewhere. I saw it
mentioned many times around, but I think that, at the end of the day, that's
a red herring: the point
Am 11.02.2013 14:38, schrieb Donald Stufft:
On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote:
Giovanni Bajo wrote:
Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller
jnol...@gmail.com mailto:jnol...@gmail.com ha scritto:
Actually I was thinking about this in the shower: the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Am 05.02.2013 22:28, schrieb Zygmunt Krynicki:
* If we are trusting the fingerprint someone is sending us we
can trust the public key they are sending us, * Adds an extra
step to go from zero to releasing * Expecting the user to decrypt
the mail
Am 05.02.2013 23:41, schrieb Lennart Regebro:
On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo ra...@develer.com wrote:
- An uploader must be able to revoke her keys from PyPI without
access to her private key.
This is already implemented, an user can modify her listed GPG fingerprint.
This
Am 05.02.2013 22:13, schrieb Giovanni Bajo:
The theoretical attack I can think of is that an attack that has stolen the
user's credential, could re-upload a previous version of a package that has
been removed/deprecated. I think that PyPI already mandates monotonic version
number increases,
Am 05.02.2013 21:23, schrieb Donald Stufft:
* Do we have bindings to GPG that we can use?
* If not are we going to depend on users to install GPG?
* GPG installation can be tricky, especially for someone new to
programming.
Linux and BSD come with GPG installed or easily
Am 04.02.2013 13:22, schrieb Donald Stufft:
On Monday, February 4, 2013 at 7:20 AM, Donald Stufft wrote:
There can be more work in the future in making a reasonable
end to end validation story possible however there are a few
clear and easy wins especially with related to getting a real
16 matches
Mail list logo
