[Distutils] Disabling non HTTPS access to APIs on PyPI
nate at bx.psu.edu
Thu Oct 26 14:10:26 EDT 2017
Heads up to anyone running pypiserver, this breaks the default redirection
from pypiserver to PyPI. There's an open issue to fix it. In the
meantime, you can use the pypiserver option `--fallback-url
https://pypi.python.org/simple/` to work around it.
On Thu, Oct 26, 2017 at 11:11 AM, Donald Stufft <donald at stufft.io> wrote:
> Historically PyPI was only available over either HTTP or unvalidated
> HTTPS, and over time we’ve been pushing more and more traffic onto HTTPS.
> In Warehouse the decision was made to *not* redirect “API” URLs from HTTP
> to HTTPS, but to rather return an error accessing them from HTTP. This is
> because while logged in views have HSTS to ensure HTTPS in the browser (and
> with humans manually entering them into the URL bar regularly they are more
> error prone) APIs which are typically accessed by automated clients with an
> URL configured or hardcoded typically do not respect HSTS, so if you had a
> script that did ``curl http://pypi.python.org/simple/``, it would
> silently get redirects to https and appear to “work”, but you wouldn’t get
> any of the security properties of TLS because an attacker would just
> intercept the request prior to the redirect happening.
> Today I’ve backported this changed to the current production deployment of
> PyPI, which means that you can no longer access /simple/ and /packages/
> over HTTP and you will have to directly go to HTTPS. For most people this
> should have no effect, because most tooling should be defaulting to HTTPS
> anyways, however if you’re using a significantly old version of tooling, it
> may still be defaulting to the HTTP url and will now stop functioning.
> The recommended remediation is to upgrade your tooling to versions that
> support verified TLS connections and which default to the proper HTTPS URLs.
> Distutils-SIG maillist - Distutils-SIG at python.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG