On Jun 5, 2014, at 12:02 PM, Barry Warsaw <barry@debian.org> wrote: > On Jun 05, 2014, at 11:52 AM, Donald Stufft wrote: > >> Yea it shouldn’t matter on Python 3.x as the SSLContext stuff urllib3 will >> use to give good defaults there already. > > Does any of this impact our wheels for virtualenv/pyvenv (Py2 and Py3)? > > -Barry Not really. requests will opportunistically use those three libraries in order to have better TLS on Python 2.x. ensurepip doesn’t include them since It’s for Python 3.x only, and virtualenv doesn’t because they require a compiler (well pyopenssl does). If Debian wanted to make pip in virtualenv safer they could create wheels for those 3 and install them into python 2.x virtualenvs by default (they can be installed normally, they don’t require any magic). This would be Debian going above the “standard” for what upstream or any other OS does afaik. However I don’t think it’s really a big deal, most of the attacks on TLS affect the confidentiality portions, however pip doesn’t really care too much about that and currently relies on TLS mostly for the authenticity portion. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail