> -----Original Message----- > From: Distutils-SIG [mailto:distutils-sig-bounces+tritium- > list=sdamon....@python.org] On Behalf Of Erik Bray > Sent: Friday, October 27, 2017 11:16 AM > To: Distutils <distutils-sig@python.org> > Subject: Re: [Distutils] Disabling non HTTPS access to APIs on PyPI > > On Thu, Oct 26, 2017 at 5:11 PM, Donald Stufft <don...@stufft.io> wrote: > > Historically PyPI was only available over either HTTP or unvalidated HTTPS, > > and over time we’ve been pushing more and more traffic onto HTTPS. In > > Warehouse the decision was made to *not* redirect “API” URLs from HTTP > to > > HTTPS, but to rather return an error accessing them from HTTP. This is > > because while logged in views have HSTS to ensure HTTPS in the browser > (and > > with humans manually entering them into the URL bar regularly they are > more > > error prone) APIs which are typically accessed by automated clients with an > > URL configured or hardcoded typically do not respect HSTS, so if you had a > > script that did ``curl http://pypi.python.org/simple/``, it would silently > > get redirects to https and appear to “work”, but you wouldn’t get any of > the > > security properties of TLS because an attacker would just intercept the > > request prior to the redirect happening. > > > > Today I’ve backported this changed to the current production deployment > of > > PyPI, which means that you can no longer access /simple/ and /packages/ > over > > HTTP and you will have to directly go to HTTPS. For most people this should > > have no effect, because most tooling should be defaulting to HTTPS > anyways, > > however if you’re using a significantly old version of tooling, it may still > > be defaulting to the HTTP url and will now stop functioning. > > > > The recommended remediation is to upgrade your tooling to versions that > > support verified TLS connections and which default to the proper HTTPS > URLs. > > +1 > > This will probably (unfortunately) break some things for some people, > which is worrying. But it is the right thing to do and good advice in > general.
Might want to post a message on the front page of pypi.python.org when this becomes effective (if it's not there already.) > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
