Olaf Meeuwissen [2011-03-11 1:54 -0000]:
> Re #5, we've tested with the fixed code and getting the GPG fingerprint
> worked fine for us.
Nice!
> Not familiar with the python-pycurl code, I've one little question. The
> verified_https.py code seemed aimed at adding hostname validation,
> something HTTPSConnection didn't do. Assuming that was done on purpose,
> I guess the replacement code should do the same. Does pycurl do the
> validation?
Hello Olaf,
Olaf Meeuwissen [2011-03-11 1:54 -0000]:
> Re #5, we've tested with the fixed code and getting the GPG fingerprint
> worked fine for us.
Nice!
> Not familiar with the python-pycurl code, I've one little question. The
> verified_https.py code seemed aimed at adding hostname validation,
> something HTTPSConnection didn't do. Assuming that was done on purpose,
> I guess the replacement code should do the same. Does pycurl do the
> validation?
Yes, it does by default:
http:// curl.haxx. se/libcurl/ c/curl_ easy_setopt. html#CURLOPTSSL VERIFYHOST
Both the old (verified_https.py) and the new (pycurl) implementation
are covered by various test cases, amongst them one for a nonmatching
host name:
http:// bazaar. launchpad. net/~jockey- hackers/ jockey/ trunk/view/ head:/tests/ detection. py#L896