[Distutils] PyPi’s predictable download url
Nick Timkovich
prometheus235 at gmail.com
Tue Jul 25 18:08:17 EDT 2017
On Tue, Jul 25, 2017 at 4:25 PM, Noah Kantrowitz <noah at coderanger.net>
wrote:
>
> > On Tuesday, July 25, 2017, Alexander Belopolsky <
> alexander.belopolsky at gmail.com> wrote:
> > $ curl -i http://pypi.org/pypi/virtualenv/json
> > HTTP/1.1 403 SSL is required
> > ...
> >
>
> To explain this: pypi.org is on the HSTS preload list so all major
> browsers will automatically use HTTPS for it no matter what. cURL does not
> support this feature.
>
> --Noah
Also sounds like a good idea so anyone that writes a client and forgets
that S will be forced to correct it rather than silently relying on a
redirect (slower, opportunity for attack)
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170725/f6eec2b1/attachment.html>
More information about the Distutils-SIG
mailing list