On 05.02.2013 02:36, Nick Coghlan wrote:
> Something that caught my attention in the recent security discussions
> is the observation that one of the most common insecure practices in
> the Python community is to run "sudo pip" with unsigned packages
> (sometimes on untrusted networks).
>
> To my
On Tue, Feb 5, 2013 at 3:20 PM, Yuval Greenfield wrote:
> Excellent idea.
>
> I've been using "sudo pip install" since forever for the exact reason you
> mention. I don't even know how to install anything with pip and no sudo.
If you're not inside a virtualenv, then "pip install --user
" will ins
On Tue, Feb 5, 2013 at 3:36 AM, Nick Coghlan wrote:
> Something that caught my attention in the recent security discussions
> is the observation that one of the most common insecure practices in
> the Python community is to run "sudo pip" with unsigned packages
> (sometimes on untrusted networks)
On 5 February 2013 13:45, Carl Meyer wrote:
> On 02/04/2013 07:42 PM, Donald Stufft wrote:
>> I think the biggest problem with this idea is going to be backwards
>> compatibility. It's a good idea but it might need to be done as
>> a "if we don't have permissions to write to the site-packages dire
On 02/04/2013 07:42 PM, Donald Stufft wrote:
> I think the biggest problem with this idea is going to be backwards
> compatibility. It's a good idea but it might need to be done as
> a "if we don't have permissions to write to the site-packages directory
> fail with a good error message and recomme
On Monday, February 4, 2013 at 9:40 PM, Richard Jones wrote:
> On 5 February 2013 12:36, Nick Coghlan (mailto:ncogh...@gmail.com)> wrote:
> > [snip "sudo pip" common & bad]
> >
> > If pip used the user site packages by default (when running as anyone
> > other than root), that dangerous UI flow w
On 5 February 2013 12:36, Nick Coghlan wrote:
> [snip "sudo pip" common & bad]
>
> If pip used the user site packages by default (when running as anyone
> other than root), that dangerous UI flow wouldn't happen.
>
> Thoughts?
I think it's a great idea.
Perhaps also having pip warn about being r
Something that caught my attention in the recent security discussions
is the observation that one of the most common insecure practices in
the Python community is to run "sudo pip" with unsigned packages
(sometimes on untrusted networks).
To my mind, this is a natural reaction to the user experien
Looks like the mirror has finally caught up.
Thanks all for letting me know :)
Jannis
On Sat, Feb 2, 2013 at 2:36 PM, Jannis Leidel wrote:
> Hi all,
>
> So, I've made multiple attempts to fix the "d" mirror: I've been running
> the pep381client script manually and monitored it for 3 consecuti
Hi Jannis,
you mentioned on Twitter:
https://twitter.com/jezdez/status/298143840341204992
that you have some insights on porting pip to requests for SSL verification.
Can you please elaborate?
Thanks!
--
Giovanni Bajo :: ra...@develer.com
Develer S.r.l. :: http://www.develer.com
My Blog:
On Monday, February 4, 2013 at 11:15 AM, Giovanni Bajo wrote:
> Il giorno 04/feb/2013, alle ore 17:04, "Antoine Pitrou" (mailto:solip...@pitrou.net)> ha scritto:
>
> >
> > Hi,
> >
> > > Il giorno 04/feb/2013, alle ore 16:02, Laurens Van Houtven <_...@lvh.cc
> > > (mailto:_...@lvh.cc)> ha
>
Il giorno 04/feb/2013, alle ore 17:04, "Antoine Pitrou"
ha scritto:
>
> Hi,
>
>> Il giorno 04/feb/2013, alle ore 16:02, Laurens Van Houtven <_...@lvh.cc> ha
>> scritto:
>>
>>> On Mon, Feb 4, 2013 at 3:51 PM, Giovanni Bajo wrote:
(That reminds me; does the stdlib still ignore
Il giorno 04/feb/2013, alle ore 13:23, Christian Heimes
ha scritto:
> Am 04.02.2013 13:22, schrieb Donald Stufft:
>> On Monday, February 4, 2013 at 7:20 AM, Donald Stufft wrote:
>>> There can be more work in the future in making a reasonable
>>> end to end validation story possible however there
http://convergence.io/ is a useful system. It provides protection against
MITM attacks by using network perspective: you ask notary servers located
elsewhere on the Internet to verify the certificate of a site you visit. If
the notary servers see the same certificate you do then you know the local
On Monday, February 4, 2013 at 8:31 AM, Giovanni Bajo wrote:
> Not that I'm against it doing it on the server side for now, anyway. It'll
> still be useful to users manually browsing to PyPI.
This is where it's important. If you're capable of MITM'ing pip you're capable
of MITM'ing a web browser
Am 04.02.2013 13:22, schrieb Donald Stufft:
> On Monday, February 4, 2013 at 7:20 AM, Donald Stufft wrote:
>> There can be more work in the future in making a reasonable
>> end to end validation story possible however there are a few
>> clear and easy wins especially with related to getting a real
On Monday, February 4, 2013 at 7:20 AM, Donald Stufft wrote:
> There can be more work in the future in making a reasonable
> end to end validation story possible however there are a few
> clear and easy wins especially with related to getting a real
> trusted SSL certificate paid for and installed
On Monday, February 4, 2013 at 5:51 AM, Lennart Regebro wrote:
> I cc:d catalog-sig, aiming to move the dicussion there.
>
> On Mon, Feb 4, 2013 at 11:40 AM, Christian Heimes (mailto:christ...@python.org)> wrote:
> > * Package creator provides her public key somehow (a PKI is tricky and
> > hard
I cc:d catalog-sig, aiming to move the dicussion there.
On Mon, Feb 4, 2013 at 11:40 AM, Christian Heimes wrote:
> * Package creator provides her public key somehow (a PKI is tricky and
> hard to get right)
This breaks it. It can't be "somehow".
For example, I'm currently working on a project I
19 matches
Mail list logo
