> On Jul 25, 2017, at 6:06 PM, Tres Seaver <tsea...@palladion.com> wrote: > > On 07/25/2017 05:25 PM, Noah Kantrowitz wrote: >> >>> On Jul 25, 2017, at 2:15 PM, Wes Turner <wes.tur...@gmail.com> wrote: >>> >>> >>> >>> On Tuesday, July 25, 2017, Alexander Belopolsky >>> <alexander.belopol...@gmail.com> wrote: >>> On Tue, Jul 25, 2017 at 4:18 PM, Nick Timkovich <prometheus...@gmail.com> >>> wrote: >>> .. >>>> That's because curl is kinda annoying and doesn't follow redirects by >>>> default: >>>> >>>> $ curl -i http://pypi.python.org/pypi/virtualenv/json >>>> HTTP/1.1 301 Moved Permanently >>>> ... >>> >>> Well, http://pypi.org/.. which is presumably the home of the latest >>> PyPI returns 403: >>> >>> $ curl -i http://pypi.org/pypi/virtualenv/json >>> HTTP/1.1 403 SSL is required >>> ... >>> >>> This suggests that redirects are considered to be legacy and may not >>> be supported in the future. >>> >>> Here are the warehouse routes: >>> https://github.com/pypa/warehouse/blob/master/warehouse/routes.py >>> >>> Why do you need an http to https redirect? >> >> To explain this: pypi.org is on the HSTS preload list so all major >> browsers will automatically use HTTPS for it no matter what. cURL does >> not support this feature. > Seems like having an unconditional HTTP->HTTPS redirect in place would be a > "good neighbor" kind of thing (and belt-and-suspenders, as well). > >
Warehouse purposely only redirects “UI” pages from HTTP to HTTPS, API pages hard fail on HTTP. The rationale here is that UI pages are most likely going to be visited by browsers/people which may not support the HSTS preload list so we don’t want to display an error for those people (and if they support HSTS at all, future visits will be HTTPS). However for API views the most typical case is for someone to hardcode an URL in a client/script/configuration somewhere, and there the HTTP -> HTTPS redirect actually does them a disservice, because it silently allows them to be insecure (since a network attacker can intercept the HTTP request and just never redirect) and most automated tooling does not support HSTS (so future requests won’t be secure either). Thus this is a trade off and for browsers the trade off is to make it work, and for automated tooling the trade off is to make it correct. — Donald Stufft
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
