distribute_setup.py should use https, not http, to access pypi

Create issue
Issue #354 new
Pierre Carbonnelle created an issue

A security vulnerability of PyPI was exposed on reddit a couple of weeks ago, and appropriate actions are taken on pip to use https to access PyPI. Developers there are also concerned with distribute

I see that distribute_setup.py pulls data via http: DEFAULT_URL = "http://pypi.python.org/packages/source/d/distribute/"

This vulnerability should be fixed. There may be others in distribute.

This should be corrected ASAP.

Comments (2)

  1. Arfrever Frehtes Taifersar Arahesis

    See discussion in CPython issue #12226. Certificate checking might need to be implemented. There needs to be http fallback for use when SSL support is not available in Python.

  2. Log in to comment