[Catalog-sig] HTTPS now promoted on PyPI

Noah Kantrowitz noah at coderanger.net
Tue Feb 19 09:02:22 CET 2013


On Feb 18, 2013, at 9:13 PM, Richard Jones wrote:

> Hi all,
> 
> I've just altered the nginx configuration to promote (ie. redirect to)
> HTTPS for all GET/HEAD requests. This includes HSTS, but I've set the
> lifetime to 1 day just in case there's some HTTPS compatibility
> issues. Once it's bedded down I'll bump it to a year.
> 
> I looked into distutils, but since it uses urllib and urllib just
> raises an error on 307 redirects we're a little stymied as to what we
> can actually do for POSTs for it...
> 
> We really need to fix distutils to replace the HTTP URL with HTTPS and
> handle .pypirc issues. At this point I believe our options are:
> 
> 1. live with it,
> 2. incorporate some monkey-patching into distribute and setuptools and
> promote those,
> 3. write a stand-alone uploader (or add such functionality to pip)
> which can monkey-patch distutils,
> 4. fix distutils (and accept a long lead time to actual impact), or
> 5. all of the above

Something in pip might be nice so that it could reuse all the SSL peer verification logic for uploads too (would require pipelining to be secure though, not sure how easy that would be to do).

--Noah



More information about the Catalog-SIG mailing list