[Distutils] TLS support policy & PyPI communications

Donald Stufft donald at stufft.io
Thu Mar 22 03:25:00 EDT 2018

Just as an FYI, as of this morning we’ve started doing brownouts of the deprecated TLS versions. For the first 10 minutes of each hour anyone attempting to access PyPI with TLSv1.0 or TLSv1.1 will get a 403 response with an informative error. 

As we get closer to the deadline I will be ramping up the amount of time the endpoint is down for the deprecated TLS versions. The ultimate goal being to have it be 100% unavailable prior to the final deadline (because we can give a good error messsge, once the dead line hits it will just be a crappy OpenSSL error). 

Sent from my iPhone

> On Mar 21, 2018, at 10:58 PM, Sumana Harihareswara <sh at changeset.nyc> wrote:
> PSF blogged last year
> https://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html
> that
>> The more crucial deadline comes June 30, 2018. On that date all remaining python.org sites, including PyPI, will no longer support TSL 1.0 and 1.1. Older Python versions that do not implement TLSv1.2 will be prohibited from accessing PyPI.
> I asked Ernest W. Durbin III whether I ought to re-announce this to
> users in my PyPI announcements. He looked at our TLS trends/stats and
> told me we have a very very low proportion of traffic that will be
> affected when we shift over. Therefore, since it'll affect so few, I
> won't shout about TLS versions in my PyPI communications. Marking that
> here for the record.

More information about the Distutils-SIG mailing list