[Distutils] PyPi’s predictable download url

Tres Seaver tseaver at palladion.com
Tue Jul 25 18:06:57 EDT 2017


On 07/25/2017 05:25 PM, Noah Kantrowitz wrote:
> 
>> On Jul 25, 2017, at 2:15 PM, Wes Turner <wes.turner at gmail.com> wrote:
>>
>>
>>
>> On Tuesday, July 25, 2017, Alexander Belopolsky <alexander.belopolsky at gmail.com> wrote:
>> On Tue, Jul 25, 2017 at 4:18 PM, Nick Timkovich <prometheus235 at gmail.com> wrote:
>> ..
>>> That's because curl is kinda annoying and doesn't follow redirects by
>>> default:
>>>
>>> $ curl -i http://pypi.python.org/pypi/virtualenv/json
>>> HTTP/1.1 301 Moved Permanently
>>> ...
>>
>> Well, http://pypi.org/.. which is presumably the home of the latest
>> PyPI returns 403:
>>
>> $ curl -i http://pypi.org/pypi/virtualenv/json
>> HTTP/1.1 403 SSL is required
>> ...
>>
>> This suggests that redirects are considered to be legacy and may not
>> be supported in the future.
>>
>> Here are the warehouse routes:
>> https://github.com/pypa/warehouse/blob/master/warehouse/routes.py
>>
>> Why do you need an http to https redirect?
> 
> To explain this: pypi.org is on the HSTS preload list so all major
> browsers will automatically use HTTPS for it no matter what. cURL does
> not support this feature.
Seems like having an unconditional HTTP->HTTPS redirect in place would be a
"good neighbor" kind of thing (and belt-and-suspenders, as well).


Tres.
-- 
===================================================================
Tres Seaver          +1 540-429-0999          tseaver at palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com



More information about the Distutils-SIG mailing list