[issue12358] validate server certificate when uploading packages to PyPI
Stefan Krah stefan-use...@bytereef.org added the comment: I agree with Éric: This is a duplicate. -- nosy: +skrah resolution: - duplicate status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12358 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12358] validate server certificate when uploading packages to PyPI
New submission from anatoly techtonik techto...@gmail.com: Please add this as a child of master issue12357. When default protocol to upload to PyPI is switched to HTTPS in issue12226, the next step is to validate the certificate. Certificate validation requires that we will either: 1. distribute root CACert certificate with Python (for some reason it is not included/trusted on Windows platform) 2. acquire certificate for PyPI servers from party trusted by default, so that system certificates can be used for validation -- messages: 138578 nosy: techtonik priority: normal severity: normal status: open title: validate server certificate when uploading packages to PyPI type: security ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12358 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12358] validate server certificate when uploading packages to PyPI
Changes by anatoly techtonik techto...@gmail.com: -- assignee: - tarek components: +Distutils, Distutils2 nosy: +alexis, eric.araujo, tarek versions: +Python 2.7, Python 3.1, Python 3.2 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12358 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12358] validate server certificate when uploading packages to PyPI
Éric Araujo mer...@netwok.org added the comment: I’m going to close this report as a duplicate. The discussion about validation is already started on the other report, and I don’t want to commit first one patch with false security (use HTTPS), then a patch to validate: they should be one patch IMO. -- resolution: - duplicate stage: - committed/rejected status: open - closed superseder: - use HTTPS by default for uploading packages to pypi ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12358 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12358] validate server certificate when uploading packages to PyPI
anatoly techtonik techto...@gmail.com added the comment: That's two separate tickets. I intentionally wasted my time opening several of them to avoid making issues overcomplicated, so that they are manageable for review and won't slip from the next release. Ping me in GTalk if you want to discuss it. -- resolution: duplicate - status: closed - open ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12358 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12358] validate server certificate when uploading packages to PyPI
anatoly techtonik techto...@gmail.com added the comment: Mind you that HTTPS access without certificate validation is not a false security - even without certificate it provides a good protection from passive attacks. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12358 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12358] validate server certificate when uploading packages to PyPI
Éric Araujo mer...@netwok.org added the comment: I don’t see why you think we need two tickets. I will not commit the partial patch from the other bug, and I don’t think it’s overcomplicated to think about “use HTTPS with certificate checking”. About GTalk/Jabber: I prefer to discuss openly on this bug tracker or mailing lists. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12358 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue12358] validate server certificate when uploading packages to PyPI
anatoly techtonik techto...@gmail.com added the comment: If tickets are small and easy, they can be committed faster. I wouldn't open another one if this small patch was committed in time. As I already explained, adding certificate check to HTTPS is a further security enhancement, and here is the report for it to not forget and discuss further security issues. It is not 'incomplete'. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue12358 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com