[issue12226] use HTTPS by default for uploading packages to pypi
Changes by Antoine Pitrou pit...@free.fr: -- assignee: eric.araujo - versions: -Python 2.6 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Roundup Robot added the comment: New changeset 32a39ec6bd75 by Antoine Pitrou in branch '2.7': Issue #12226: HTTPS is now used by default when connecting to PyPI. http://hg.python.org/cpython/rev/32a39ec6bd75 -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Roundup Robot added the comment: New changeset 2b5cd6d4d149 by Antoine Pitrou in branch '3.2': Issue #12226: HTTPS is now used by default when connecting to PyPI. http://hg.python.org/cpython/rev/2b5cd6d4d149 New changeset e5a9755c967c by Antoine Pitrou in branch '3.3': Issue #12226: HTTPS is now used by default when connecting to PyPI. http://hg.python.org/cpython/rev/e5a9755c967c New changeset 9839aa0e5b28 by Antoine Pitrou in branch 'default': Null merge (#12226 already fixed on default) http://hg.python.org/cpython/rev/9839aa0e5b28 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Antoine Pitrou added the comment: Closing as fixed, and opening a new issue for cert checking. -- resolution: - fixed stage: - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Éric Araujo added the comment: Donald assesses that porting the changeset to 2.7 would “make things a little nicer”, as it protects from passive attacks only. The change is small. What do people think? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Antoine Pitrou added the comment: Well, passive attacks are the easiest to mount by a casual attacker, so I think this is important to get in. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Christian Heimes added the comment: How about: - load ca cert from default verify locations - try connect with CERT_REQUIRED - print warning when cert validation fails and try again with CERT_NONE - match hostname otherwise At least this warns the user about the issue. Is there way to distinguish between CA missing and other failures? Antoine Pitrou rep...@bugs.python.org schrieb: Antoine Pitrou added the comment: Well, passive attacks are the easiest to mount by a casual attacker, so I think this is important to get in. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
anatoly techtonik added the comment: How come that this CVE is still present in just released 2.7.6? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
anatoly techtonik added the comment: This should have been backported to Python 2. I expect some related attacks on EuroPython. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Donald Stufft added the comment: I would +! backporting this, but It's not massively required since it only protects against passive attacks. It would however make things a little nicer. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
anatoly techtonik added the comment: If somebody sponsor my visit to EuroPython, I will dedicate some time to prepare a demo uploading rogue packages using sniffed credentials over WiFi without owner's consent. After moving to CDN no upload logs are available, so it is even more secure for attacker to do this stuff. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Donald Stufft added the comment: Uploading always hits the backend servers and thus has the same logging as before Merely switching to HTTPS only provides protections against passive attacks. You need verification to protect against active attacks (which are simple and easy to do as well). Like I said, not a bad move and I'd be in agreement on doing it but if the powers that be decide it's too big of a change it's not going to massively decrease the security. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Benjamin Peterson added the comment: This is true, but if we get proper certificate checking, this should automatically work correctly then. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Éric Araujo added the comment: I’m not sure what “this” refers to (in “This is true” and “this should automatically work correctly”). My only concern is to avoid giving a false sense of security, so my initial stance was all-or-nothing. However with the recent trend of incremental improvements to the PyPI ecosystem, I think it’s important to do what we can and keep the momentum, so I’m okay with the commit—I just wanted to make sure that committing half a fix was intentional. You probably know more about SSL than me and you’re the RM, so let’s ship this. :) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Benjamin Peterson added the comment: By this, I meant the change I made. It was made in consultation with Richard Jones (added to nosy) at the PyCon sprints. -- nosy: +richard ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Donald Stufft added the comment: Using HTTPS without a Certificate prevents passive attacks but not active attacks. It puts things in a _better_ situation but not the ideal situation. -- nosy: +dstufft ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Éric Araujo added the comment: Benjamin, you committed a change to use HTTPS instead of HTTP. In this bug report, we were having a discussion about the false/incomplete security that this provides if there is no certificate checking. What are your thoughts on that? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Arfrever Frehtes Taifersar Arahesis added the comment: New changeset f86d46a580d8 by Benjamin Peterson in branch 'default': use the HTTPS for pypi upload http://hg.python.org/cpython/rev/f86d46a580d8 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Giovanni Bajo added the comment: Please notice that a redesign of PyPI and package security is ongoing in catalog-sig. -- nosy: +Giovanni.Bajo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Changes by Devin Cook devin.c.c...@gmail.com: -- nosy: +devin ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Christian Heimes added the comment: CVE-2013-1754 Man-in-the-middle vulnerability in package upload feature of Python's distutils -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Changes by Christian Heimes li...@cheimes.de: -- nosy: +benjamin.peterson, georg.brandl, larry priority: normal - release blocker versions: +Python 3.4 -Python 3.1 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Changes by Christian Heimes li...@cheimes.de: -- dependencies: +Include CA bundle and provide access to system's CA ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Changes by Éric Araujo mer...@netwok.org: -- assignee: tarek - eric.araujo priority: release blocker - high ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
anatoly techtonik techto...@gmail.com added the comment: This simple patch slipped off 2.7.2. Why? -- title: use secured channel for uploading packages to pypi - use HTTPS by default for uploading packages to pypi ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Éric Araujo mer...@netwok.org added the comment: Because it’s not finished. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
anatoly techtonik techto...@gmail.com added the comment: What is left? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
Éric Araujo mer...@netwok.org added the comment: Certificate checking. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12226] use HTTPS by default for uploading packages to pypi
anatoly techtonik techto...@gmail.com added the comment: That's the issue12358. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12226 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
