[Distutils] PyPi’s predictable download url
Noah Kantrowitz
noah at coderanger.net
Tue Jul 25 18:16:00 EDT 2017
> On Jul 25, 2017, at 3:06 PM, Tres Seaver <tseaver at palladion.com> wrote:
>
> On 07/25/2017 05:25 PM, Noah Kantrowitz wrote:
>>
>>> On Jul 25, 2017, at 2:15 PM, Wes Turner <wes.turner at gmail.com> wrote:
>>>
>>>
>>>
>>> On Tuesday, July 25, 2017, Alexander Belopolsky <alexander.belopolsky at gmail.com> wrote:
>>> On Tue, Jul 25, 2017 at 4:18 PM, Nick Timkovich <prometheus235 at gmail.com> wrote:
>>> ..
>>>> That's because curl is kinda annoying and doesn't follow redirects by
>>>> default:
>>>>
>>>> $ curl -i http://pypi.python.org/pypi/virtualenv/json
>>>> HTTP/1.1 301 Moved Permanently
>>>> ...
>>>
>>> Well, http://pypi.org/.. which is presumably the home of the latest
>>> PyPI returns 403:
>>>
>>> $ curl -i http://pypi.org/pypi/virtualenv/json
>>> HTTP/1.1 403 SSL is required
>>> ...
>>>
>>> This suggests that redirects are considered to be legacy and may not
>>> be supported in the future.
>>>
>>> Here are the warehouse routes:
>>> https://github.com/pypa/warehouse/blob/master/warehouse/routes.py
>>>
>>> Why do you need an http to https redirect?
>>
>> To explain this: pypi.org is on the HSTS preload list so all major
>> browsers will automatically use HTTPS for it no matter what. cURL does
>> not support this feature.
> Seems like having an unconditional HTTP->HTTPS redirect in place would be a
> "good neighbor" kind of thing (and belt-and-suspenders, as well).
Those redirects lead to a false sense of security. As pypi.org is new and we know there are no legacy links to it out there, it does not make sense to allow http://pypi.org as a thing. There is no such website as http://pypi.org.
--Noah
More information about the Distutils-SIG
mailing list