[Catalog-sig] HTTPS now promoted on PyPI

Andreas Jung lists at zopyx.com
Tue Feb 19 15:50:35 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

I appreciate all the work done on making PyPI making more secure.
However this switch has not been tested properly and the current massive
problems cause world wide trouble. Any chance to fix this soon or what
is the way to use http:// only until the problem is fixed?

Andreas

Richard Jones wrote:
> Hi all,
> 
> I've just altered the nginx configuration to promote (ie. redirect
> to) HTTPS for all GET/HEAD requests. This includes HSTS, but I've set
> the lifetime to 1 day just in case there's some HTTPS compatibility 
> issues. Once it's bedded down I'll bump it to a year.
> 
> I looked into distutils, but since it uses urllib and urllib just 
> raises an error on 307 redirects we're a little stymied as to what
> we can actually do for POSTs for it...
> 
> We really need to fix distutils to replace the HTTP URL with HTTPS
> and handle .pypirc issues. At this point I believe our options are:
> 
> 1. live with it, 2. incorporate some monkey-patching into distribute
> and setuptools and promote those, 3. write a stand-alone uploader (or
> add such functionality to pip) which can monkey-patch distutils, 4.
> fix distutils (and accept a long lead time to actual impact), or 5.
> all of the above
> 
> 
> Richard _______________________________________________ Catalog-SIG
> mailing list Catalog-SIG at python.org 
> http://mail.python.org/mailman/listinfo/catalog-sig

- -- 
ZOPYX Limited         | Python | Zope | Plone | MongoDB
Hundskapfklinge 33    | Consulting & Development
D-72074 Tübingen      | Electronic Publishing Solutions
www.zopyx.com         | Scalable Web Solutions
- --------------------------------------------------
Produce & Publish - www.produce-and-publish.com


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQGUBAEBAgAGBQJRI5E6AAoJEADcfz7u4AZjBJMLwKQOxMpQA69FdhlGwRAX34Ef
agsNPZINl+Z80frVtMw+VE3HTryp/usfElwTsi2ivY1X/hZYK3ga6zxLybItvkWx
YkrbYAssID2eEfgSs4QKJ6D2z2iNM1LYmjgHwabYR5kYQnq+1ENB3jszWbReCKgm
BMq+ETa/ZwAqdfrQC5JG0UEHGNRA7YJUrzejAcvHvfef6G4tu9P07fVau3zX1k3n
Wa0PuCpPmpDPn/SYteiurXZaBpBtloHlnOij8Zn5bBThZ+rc85wv8gp7PfiP82nw
1xe7Inp+thlDCrYPcyKEQO8DmDMVE56is5O4DCJ4Ni/Y0pPRf1H+lU8DUgI1rrmS
p+0kOJsUDOtspvr3AnCkT/2Ncz0iwr0rbPZnVqNUpYUB9vDfeJ8L6pq7h6Fvh7CG
dARrhTtTVkb1ovQlyv0hrSyzw2YVIihClcWtYGHy31k//M4RvTj0wEnVV5KsqBmN
8kfDuqPFyo3kJx+OtGr54sNV5KQ8UlM=
=H/Lb
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lists.vcf
Type: text/x-vcard
Size: 353 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130219/36842209/attachment.vcf>


More information about the Catalog-SIG mailing list