[Distutils] Notice: PyPI APIs now return 403 when accessed via HTTP
Andreas Kotes
count-python.org at flatline.de
Fri Jun 24 07:55:09 EDT 2016
Hello Donald,
Donald Stufft <donald <at> stufft.io> writes:
> In part of an ongoing effort to improve the security of PyPI, instead
of redirecting (or silently allowing)
> requests made over HTTP to PyPI APIs, these APIs will now return a 403
and require people to make the initial
> request over HTTPS.
>
> This does not affect the UI portions of the site that are designed to
be used by humans, for these we will still
> redirect (which will cause the browser to see the HSTS header and
force the user to use HTTPS from then on out).
I have to kindly request this change to be reverted, or at least to be
exempt for the SimpleRPC call.
There's an installed base of tens of thousands of Puppet installations
installing pip modules via a fscked up pip provider that's hardcoded to
work against the http-based SimpleRPC endpoint, all of which are broken
now :(
cURL equivalent of an example call they are making:
curl -v -X POST http://pypi.python.org/pypi -H 'Content-type: text/xml'
-d "<?xml version='1.0'?><methodCall>
<methodName>package_releases</methodName><params><param><value>
<string>pip</string></value></param></params></methodCall>"
fix they've done on their side:
https://github.com/puppetlabs/puppet/commit/152299cc859fc74343c697841848
086d4e41b6f8
related Jira issue on their side:
https://tickets.puppetlabs.com/browse/PUP-6120
as this change is only included in the very latest Puppet release (4.5)
and means crossing one major and multiple minor releases for almost
everyone using that code, I see no option but to plea to revert (the
relevant part) of this on behalf of the affected admins and systems.
thank you for your consideration,
count
--
Andreas 'count' Kotes
Taming computers for humans since 1990.
"Don't ask what the world needs. Ask what makes you come alive, and go
do it.
Because what the world needs is people who have come alive." -- Howard
Thurman
More information about the Distutils-SIG
mailing list