Bug#750638: ITP: ndg-httpsclient -- enhanced HTTPS support for httplib and urllib2 using PyOpenSSL
Package: wnpp Severity: wishlist Owner: Julien Cristau julien.cris...@logilab.fr * Package name: ndg-httpsclient Version : 0.3.2 Upstream Author : Science Technology Facilities Council (STFC) * URL : https://pypi.python.org/pypi/ndg-httpsclient * License : BSD Programming Lang: Python Description : enhanced HTTPS support for httplib and urllib2 using PyOpenSSL ndg-httpsclient is a HTTPS client implementation for httplib and urllib2 based on PyOpenSSL. PyOpenSSL provides a more fully featured SSL implementation over the default provided with Python and importantly enables full verification of the SSL peer. My main interest is to be able to talk to websites using SNI with scripts using python-requests. Cheers, Julien -- Julien Cristau julien.cris...@logilab.fr Logilab http://www.logilab.fr/ Informatique scientifique gestion de connaissances -- To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140605102621.ga17...@crater1.logilab.fr
Re: Bug#750638: ITP: ndg-httpsclient -- enhanced HTTPS support for httplib and urllib2 using PyOpenSSL
Hello Julien, thanks for packaging ndg-httpsclient! On Thursday 05 June 2014 12:26:22 Julien Cristau wrote: My main interest is to be able to talk to websites using SNI with scripts using python-requests. Once in the archive I will also add ndg-httpsclient into python-requests' Suggests. Kind regards, P.S. I'll do the same for python-urllib3: https://github.com/shazow/urllib3/pull/156 -- Daniele Tricoli 'Eriol' http://mornie.org signature.asc Description: This is a digitally signed message part.
Re: Bug#750638: ITP: ndg-httpsclient -- enhanced HTTPS support for httplib and urllib2 using PyOpenSSL
On Jun 5, 2014, at 7:09 AM, Daniele Tricoli er...@mornie.org wrote: Hello Julien, thanks for packaging ndg-httpsclient! On Thursday 05 June 2014 12:26:22 Julien Cristau wrote: My main interest is to be able to talk to websites using SNI with scripts using python-requests. Once in the archive I will also add ndg-httpsclient into python-requests' Suggests. Kind regards, P.S. I'll do the same for python-urllib3: https://github.com/shazow/urllib3/pull/156 -- Daniele Tricoli 'Eriol' http://mornie.org You need pyasn1, pyopenssl, and ndg-httpsclient in order for the requests/urllib3 stuff to kick in. It’d probably be a sane idea to use recommends, at least on Python 2.x since using that also prevents CRIME and the like which Python 2.x is vulnerable to else wise IIRC. - Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Bug#750638: ITP: ndg-httpsclient -- enhanced HTTPS support for httplib and urllib2 using PyOpenSSL
On Thu, Jun 5, 2014 at 10:24:48 -0400, Donald Stufft wrote: On Jun 5, 2014, at 7:09 AM, Daniele Tricoli er...@mornie.org wrote: Hello Julien, thanks for packaging ndg-httpsclient! On Thursday 05 June 2014 12:26:22 Julien Cristau wrote: My main interest is to be able to talk to websites using SNI with scripts using python-requests. Once in the archive I will also add ndg-httpsclient into python-requests' Suggests. Kind regards, P.S. I'll do the same for python-urllib3: https://github.com/shazow/urllib3/pull/156 -- Daniele Tricoli 'Eriol' http://mornie.org You need pyasn1, pyopenssl, and ndg-httpsclient in order for the requests/urllib3 stuff to kick in. It’d probably be a sane idea to use recommends, at least on Python 2.x since using that also prevents CRIME and the like which Python 2.x is vulnerable to else wise IIRC. My plan is for the ndg-httpsclient package to depend on pyopenssl and recommend pyasn1. Cheers, Julien -- Julien Cristau julien.cris...@logilab.fr Logilab http://www.logilab.fr/ Informatique scientifique gestion de connaissances -- To UNSUBSCRIBE, email to debian-python-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140605143302.ga2...@crater1.logilab.fr
Re: Bug#750638: ITP: ndg-httpsclient -- enhanced HTTPS support for httplib and urllib2 using PyOpenSSL
Hello Donald, On Thursday 05 June 2014 10:24:48 Donald Stufft wrote: You need pyasn1, pyopenssl, and ndg-httpsclient in order for the requests/urllib3 stuff to kick in. Yes, of course: I was keeping an eye on all the needed packages. It’d probably be a sane idea to use recommends, at least on Python 2.x since using that also prevents CRIME and the like which Python 2.x is vulnerable to else wise IIRC. Thanks for pointing this: for python-requests I will add to Recommends all of the needed packages to ensure that SNI works as expected and to prevent CRIME. For python3-requests do you think it's needed to also add them to Reccomends? Upstream issue 20994[¹] is still open, but Python3 support SNI, and ssl compression can be disabled, as reported on the issue, using OP_NO_COMPRESSION (on python3 = 3.3, but we have 3.4). I think use Suggests is fine in this case. I will add a README.Debian to explain clearly all of it. Cheers, [¹] http://bugs.python.org/issue20994 -- Daniele Tricoli 'Eriol' http://mornie.org signature.asc Description: This is a digitally signed message part.
Re: Bug#750638: ITP: ndg-httpsclient -- enhanced HTTPS support for httplib and urllib2 using PyOpenSSL
On Jun 5, 2014, at 11:47 AM, Daniele Tricoli er...@mornie.org wrote: Hello Donald, On Thursday 05 June 2014 10:24:48 Donald Stufft wrote: You need pyasn1, pyopenssl, and ndg-httpsclient in order for the requests/urllib3 stuff to kick in. Yes, of course: I was keeping an eye on all the needed packages. It’d probably be a sane idea to use recommends, at least on Python 2.x since using that also prevents CRIME and the like which Python 2.x is vulnerable to else wise IIRC. Thanks for pointing this: for python-requests I will add to Recommends all of the needed packages to ensure that SNI works as expected and to prevent CRIME. For python3-requests do you think it's needed to also add them to Reccomends? Upstream issue 20994[¹] is still open, but Python3 support SNI, and ssl compression can be disabled, as reported on the issue, using OP_NO_COMPRESSION (on python3 = 3.3, but we have 3.4). I think use Suggests is fine in this case. I will add a README.Debian to explain clearly all of it. Cheers, [¹] http://bugs.python.org/issue20994 -- Daniele Tricoli 'Eriol' http://mornie.org Yea it shouldn’t matter on Python 3.x as the SSLContext stuff urllib3 will use to give good defaults there already. - Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Bug#750638: ITP: ndg-httpsclient -- enhanced HTTPS support for httplib and urllib2 using PyOpenSSL
On Jun 5, 2014, at 12:02 PM, Barry Warsaw ba...@debian.org wrote: On Jun 05, 2014, at 11:52 AM, Donald Stufft wrote: Yea it shouldn’t matter on Python 3.x as the SSLContext stuff urllib3 will use to give good defaults there already. Does any of this impact our wheels for virtualenv/pyvenv (Py2 and Py3)? -Barry Not really. requests will opportunistically use those three libraries in order to have better TLS on Python 2.x. ensurepip doesn’t include them since It’s for Python 3.x only, and virtualenv doesn’t because they require a compiler (well pyopenssl does). If Debian wanted to make pip in virtualenv safer they could create wheels for those 3 and install them into python 2.x virtualenvs by default (they can be installed normally, they don’t require any magic). This would be Debian going above the “standard” for what upstream or any other OS does afaik. However I don’t think it’s really a big deal, most of the attacks on TLS affect the confidentiality portions, however pip doesn’t really care too much about that and currently relies on TLS mostly for the authenticity portion. - Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA signature.asc Description: Message signed with OpenPGP using GPGMail
