Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implicitly trust explicitly requested repos. #813

Merged
merged 1 commit into from
Nov 26, 2019

Conversation

jsirois
Copy link
Member

@jsirois jsirois commented Nov 26, 2019

Previously we did not do this and could thus confusingly fail resolves
against explicitly requested insecure repos.

Fixes #812

Previously we did not do this and could thus confusingly fail resolves
against explicitly requested insecure repos.

Fixes pex-tool#812
Comment on lines +54 to +57
if 'http' == url_info.scheme:
# Implicitly trust explicitly asked for http indexes and find_links repos instead of requiring
# seperate trust configuration.
trusted_hosts.append(url_info.netloc)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think we should log when this happens? I'm not sure what -v level that would be, but maybe something people should know about and encourage them to see if there's an https version.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In order for this to happen, they said something like pex --index=http://my.index .... If they really mean to use the insecure index - say its internal - they probably would appreciate not being nagged. I think we'd need to support some way of saying "no, really, trust me" in that case.

@jsirois jsirois merged commit a641fd7 into pex-tool:master Nov 26, 2019
@jsirois jsirois deleted the issues/812 branch November 26, 2019 01:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Pex should trust any host passed via --index or --find-links.
2 participants