Secure submission via HTTPS isn't documented anywhere #39
Comments
|
We recommend Twine in the tools listing and we tell people not to use other uploading approaches because they're potentially less secure. Perhaps we should strengthen that latter explanation by explicitly saying that Twine is the only way to submit over an encrypted (HTTPS) connection. |
|
Is it still true that setup.py upload does not validate certificates, now that SSL improvements have been backported to the 2.7 stdlib? |
|
Depends on your Python version and what your distro has done. Modern versions are fine, but there's the caveat where we can't tell people it's safe flat out, but that they have to think about what Python they're using to do the upload. This becomes more difficult when building wheels for like... Python 2.6 or so which cannot be safely uploaded with distutils. So generally it's less error prone to just tell people to only use twine rather than try to document the situations in which it is safe and unsafe to use distutils. |
|
I'd check with @encukou and @warsaw to be sure, but I think the problematic cases now are just:
All that said, I agree with @brainwane that @r1chardj0n3s's original concern has been addressed: we explicitly recommend twine, and advise against the use of distutils. |
|
A secure |
|
The problem's already as solved as it can be: installing |
As far as I can tell, and certainly users find the same problem, there's nothing out there to indicate that HTTPS submission of packages to PyPI is possible only using twine.
The text was updated successfully, but these errors were encountered: