For example, do they check a digital signature (like apt-get and Windows Update) or can they be required to use SSL? If not, I'm a bit concerned that the downloaded packages could be trojaned..
Asked
Active
Viewed 1,992 times
3 Answers
3
Pip has been updated:
SSL Certificate Verification
Starting with v1.3, pip provides SSL certificate verification over https, to prevent man-in-the-middle attacks against PyPI downloads.
Version 8.0 also has the functionality to check against local hashes.
2
All Python packages are not hosted on pypi.python.org, but easy_install will look the PyPi page for download links. Many common packages like PIL and lxml use their own distribution server (which in fact often causes issues for package consumers). Example: http://pypi.python.org/pypi/PIL/
pypi.python.org itself does not seem to offer HTTPS support of any kind.
If you wish to provide secure easy_install / pip environment I suggest you mirror required packages to a server where you maintain HTTPS yourself and then restrict downloads to this server using --allow-hosts option:
http://packages.python.org/distribute/easy_install.html#restricting-downloads-with-allow-hosts
Mikko Ohtamaa
- 2,558
1
Where available, MD5 information should be added to download URLs by appending a fragment identifier of the form #md5=..., where ... is the 32-character hex MD5 digest. EasyInstall will verify that the downloaded file’s MD5 digest matches the given value.
http://packages.python.org/distribute/easy_install.html
It seems easy_install does some validation, but it seems it only checks if the package repository supplies the MD5 key.
The future plans section of the same page further hilights this:
Future plans:
- Signature checking? SSL? Ability to suppress PyPI search?
Thom Wiggers
- 497