[PATCH] Makes https+pycurl urls works with self-certified hosts
Vincent Ladeuil
v.ladeuil+lp at free.fr
Tue Nov 7 12:11:22 GMT 2006
>>>>> "jam" == John Arbash Meinel <john at arbash-meinel.com> writes:
jam> PING
jam> You submitted this a while ago, and I gave a bit of feedback. Have you
jam> decided to not worry about it, or what are you thinking to do with this
jam> change?
Short answer: I will go with your proposed 3) later if ever.
Long answer:
That was a blocking point when hacking the webdav plugin based on
pycurl and connecting to a self-certified host (quite a small
targeted audience ;).
Now, the plugin is under work to use urllib, waiting:
- urllib handling passwords including realm (DAV imposes a realm),
- that in turns waits for redirection handling in urllib (just because),
- redirection waits for urllib connection keepalive integration
into bzr core,
So, I do not forget it, but there is no urgency and I may even
forget about it if the urllib implementation satisfies the webdav
plugin requirements.
<snip/>
>> So final feeling:
>>
>> 1) You need to get rid of the tabs
>> 2) If you use an env var, have it explicitly list the allowed hosts. It
>> might also be reasonable to put this into ~/.bazaar/bazaar.conf, and
>> then you can access it with a_config = bzrlib.config.GlobalConfig().
>> Though it is a small layering violation to have a Transport know about
>> bzrlib.config. We've never really stated how we want to handle global
>> state information like this.
>> 3) I would prefer handling this on a case-by-case, with a user-prompt.
>> But (2) is reasonably secure, since you have to explicitly
>> enable a host as being okay for self certified. It still
>> leaves you open to man-in-the-middle on that host, but at
>> least it doesn't open you up to man-in-the-middle on every
>> other host.
Vincent (still catching up the ML after vacations)
More information about the bazaar
mailing list