[Catalog-sig] HTTPS now promoted on PyPI

Richard Jones r1chardj0n3s at gmail.com
Tue Feb 19 06:13:38 CET 2013


Hi all,

I've just altered the nginx configuration to promote (ie. redirect to)
HTTPS for all GET/HEAD requests. This includes HSTS, but I've set the
lifetime to 1 day just in case there's some HTTPS compatibility
issues. Once it's bedded down I'll bump it to a year.

I looked into distutils, but since it uses urllib and urllib just
raises an error on 307 redirects we're a little stymied as to what we
can actually do for POSTs for it...

We really need to fix distutils to replace the HTTP URL with HTTPS and
handle .pypirc issues. At this point I believe our options are:

1. live with it,
2. incorporate some monkey-patching into distribute and setuptools and
promote those,
3. write a stand-alone uploader (or add such functionality to pip)
which can monkey-patch distutils,
4. fix distutils (and accept a long lead time to actual impact), or
5. all of the above


     Richard


More information about the Catalog-SIG mailing list