[scl.org] Fwd: [Distutils] Disabling non HTTPS access to APIs on PyPI

Nick Coghlan ncoghlan at gmail.com
Fri Oct 27 02:39:07 UTC 2017

Hi folks,

I'm pretty sure that all the current Python SCLs are sufficiently up to
date that they'll be accessing PyPI over HTTPS by default, but passing this
notice along anyway: if you start getting access errors for PyPI, check to
make sure you don't still have some HTTP URLs in your config settings.


---------- Forwarded message ----------
From: Donald Stufft <donald at stufft.io>
Date: 27 October 2017 at 01:11
Subject: [Distutils] Disabling non HTTPS access to APIs on PyPI
To: Distutils <distutils-sig at python.org>

Historically PyPI was only available over either HTTP or unvalidated HTTPS,
and over time we’ve been pushing more and more traffic onto HTTPS. In
Warehouse the decision was made to *not* redirect “API” URLs from HTTP to
HTTPS, but to rather return an error accessing them from HTTP. This is
because while logged in views have HSTS to ensure HTTPS in the browser (and
with humans manually entering them into the URL bar regularly they are more
error prone) APIs which are typically accessed by automated clients with an
URL configured or hardcoded typically do not respect HSTS, so if you had a
script that did ``curl http://pypi.python.org/simple/``, it would silently
get redirects to https and appear to “work”, but you wouldn’t get any of
the security properties of TLS because an attacker would just intercept the
request prior to the redirect happening.

Today I’ve backported this changed to the current production deployment of
PyPI, which means that you can no longer access /simple/ and /packages/
over HTTP and you will have to directly go to HTTPS. For most people this
should have no effect, because most tooling should be defaulting to HTTPS
anyways, however if you’re using a significantly old version of tooling, it
may still be defaulting to the HTTP url and will now stop functioning.

The recommended remediation is to upgrade your tooling to versions that
support verified TLS connections and which default to the proper HTTPS URLs.

Distutils-SIG maillist  -  Distutils-SIG at python.org

Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/sclorg/attachments/20171027/f9147b0b/attachment.htm>

More information about the SCLorg mailing list