On 23/08/2017 21:11, Chris Angelico wrote: > On Thu, Aug 24, 2017 at 4:04 AM, Bruce Leban <br...@leban.us> wrote: >> On Wed, Aug 23, 2017 at 10:37 AM, John Torakis <john.tora...@gmail.com> >> wrote: >>> >>> Github can be trusted 100% percent for example. >> >> This isn't even remotely close to true. While I'd agree with the statement >> that the SSL cert on github is reasonably trustworthy, the *content* on >> github is NOT trustworthy and that's where the security risk is. >> >> I agree that this is a useful feature and there is no way it should be on by >> default. The right way IMHO to do this is to have a command line option >> something like this: >> >> python --http-import somelib=https://github.com/someuser/somelib > If you read his README, it's pretty explicit about URLs; the risk is > that "https://github.com/someuser/somelib"; can be intercepted, not > that "someuser" is malicious. If you're worried about the latter, > don't use httpimport.
Again, if https://github.com/someuser/somelib can be intercepted, https://pypi.python.org/pypi can too. If HTTPS is intercepted so easily (when not used from browsers) we are f**ed... > > ChrisA > _______________________________________________ > Python-ideas mailing list > Python-ideas@python.org > https://mail.python.org/mailman/listinfo/python-ideas > Code of Conduct: http://python.org/psf/codeofconduct/ _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/
