Hello Donald,

Donald Stufft <donald <at> stufft.io> writes:

In part of an ongoing effort to improve the security of PyPI, instead

of redirecting (or silently allowing)

requests made over HTTP to PyPI APIs, these APIs will now return a 403

and require people to make the initial

request over HTTPS.

This does not affect the UI portions of the site that are designed to

be used by humans, for these we will still

redirect (which will cause the browser to see the HSTS header and

force the user to use HTTPS from then on out).

I have to kindly request this change to be reverted, or at least to be exempt for the SimpleRPC call.

There's an installed base of tens of thousands of Puppet installations installing pip modules via a fscked up pip provider that's hardcoded to work against the http-based SimpleRPC endpoint, all of which are broken now :(

cURL equivalent of an example call they are making:

curl -v -X POST http://pypi.python.org/pypi -H 'Content-type: text/xml' -d "<?xml version='1.0'?><methodCall> <methodName>package_releases</methodName><params><param><value> <string>pip</string></value></param></params></methodCall>"

fix they've done on their side: https://github.com/puppetlabs/puppet/commit/152299cc859fc74343c697841848 086d4e41b6f8 related Jira issue on their side: https://tickets.puppetlabs.com/browse/PUP-6120

as this change is only included in the very latest Puppet release (4.5) and means crossing one major and multiple minor releases for almost everyone using that code, I see no option but to plea to revert (the relevant part) of this on behalf of the affected admins and systems.

thank you for your consideration,

count