[Distutils] Notice: PyPI APIs now return 403 when accessed via HTTP

[Andreas Kotes]

Hello Donald,

Donald Stufft <donald <at> stufft.io> writes:
> In part of an ongoing effort to improve the security of PyPI, instead 
of redirecting (or silently allowing)
> requests made over HTTP to PyPI APIs, these APIs will now return a 403 
and require people to make the initial
> request over HTTPS.
> 
> This does not affect the UI portions of the site that are designed to 
be used by humans, for these we will still
> redirect (which will cause the browser to see the HSTS header and 
force the user to use HTTPS from then on out).

I have to kindly request this change to be reverted, or at least to be 
exempt for the SimpleRPC call.

There's an installed base of tens of thousands of Puppet installations 
installing pip modules via a fscked up pip provider that's hardcoded to 
work against the http-based SimpleRPC endpoint, all of which are broken 
now :(

cURL equivalent of an example call they are making:

curl -v -X POST http://pypi.python.org/pypi -H 'Content-type: text/xml' 
-d "<?xml version='1.0'?><methodCall>
<methodName>package_releases</methodName><params><param><value>
<string>pip</string></value></param></params></methodCall>"

fix they've done on their side: 
https://github.com/puppetlabs/puppet/commit/152299cc859fc74343c697841848
086d4e41b6f8
related Jira issue on their side: 
https://tickets.puppetlabs.com/browse/PUP-6120

as this change is only included in the very latest Puppet release (4.5) 
and means crossing one major and multiple minor releases for almost 
everyone using that code, I see no option but to plea to revert (the 
relevant part) of this on behalf of the affected admins and systems.

thank you for your consideration,

   count

-- 
Andreas 'count' Kotes
Taming computers for humans since 1990.
"Don't ask what the world needs. Ask what makes you come alive, and go 
do it.
Because what the world needs is people who have come alive." -- Howard 
Thurman