On 29 Aug 2013 03:17, "Trishank Karthik Kuppusamy" <tk47@students.poly.edu> wrote:
>
> On 08/28/2013 12:09 PM, Christian Theune wrote:
> > Right. It doesn't add any security on its own, but it's a way that
> > people can discover you're using SSL. :) I'll have to read up on how
> > to do HSTS actually
>
> That was my next question. Does pip honour HSTS? I could be wrong, but I
> do not think so...

It's likely worth checking with Donald and Noah how the SSL enforcement on PyPI itself is set up. I believe the aim was just to ensure browsers are always using HTTPS, while switching other tools to SSL still requires client side updates.

Cheers,
Nick.

>
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG@python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
>