Please add this as a child of master . When default protocol to upload to PyPI is switched to HTTPS in , the next step is to validate the certificate. Certificate validation requires that we will either: 1. distribute root CACert certificate with Python (for some reason it is not included/trusted on Windows platform) 2. acquire certificate for PyPI servers from party trusted by default, so that system certificates can be used for validation
I’m going to close this report as a duplicate. The discussion about validation is already started on the other report, and I don’t want to commit first one patch with false security (use HTTPS), then a patch to validate: they should be one patch IMO.
That's two separate tickets. I intentionally wasted my time opening several of them to avoid making issues overcomplicated, so that they are manageable for review and won't slip from the next release. Ping me in GTalk if you want to discuss it.
Mind you that HTTPS access without certificate validation is not a false security - even without certificate it provides a good protection from passive attacks.
I don’t see why you think we need two tickets. I will not commit the partial patch from the other bug, and I don’t think it’s overcomplicated to think about “use HTTPS with certificate checking”. About GTalk/Jabber: I prefer to discuss openly on this bug tracker or mailing lists.
If tickets are small and easy, they can be committed faster. I wouldn't open another one if this small patch was committed in time. As I already explained, adding certificate check to HTTPS is a further security enhancement, and here is the report for it to not forget and discuss further security issues. It is not 'incomplete'.
