On Thu, Feb 28, 2013 at 5:00 PM, Donald Stufft <donald.stu...@gmail.com> wrote: > SSL checking on upload should be possible, do you want > a patch?
If it uses the 'requests' library, yes, I'll accept one. But I don't want to do any direct implementation of SSL cert checking in setuptools, at least in the short run (next few weeks), because: 1. I don't consider myself qualified as yet to write a correct patch or even verify that a contributed patch is correct/safe, and 2. There is a licensing issue with including the Mozilla root certificate set in setuptools under its current license, and I'm not 100% certain I can *change* the license. (I *could* potentially use a platform-provided cert set, but that's not really an option on Windows unless you have Windows expertise above my paygrade for pulling that stuff out of the registry.) So, by delegating to the requests library, I can bypass both of those issues in the short term. In the longer term (>1 month from now), more integrated solutions may be more feasible. Using "requests" is the best I think I can reasonably achieve by PyCon, but I *will* be publicizing a set of instructions for how to "safely" download setuptools and requests (via https in a browser to prevent MITM attacks), as well as how to configure easy_install for more secure default settings. (And easy_install will always use "requests" if present, unless specifically asked not to with a --no-ssl-verify option.) _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
