Is python setup.py register safe for recent versions?

[FichteFoll]

In the Register your Project section, it is suggested to directly upload the PKG-INFO file instead of invoking python setup.py register, which didn't use secure connections previously and thus exposed credentials over network in plaintext.

The twine readme states that https is being used now (since 2.7 and 3.2, two years ago), but the cert is not verified according to the referenced issue. I couldn't find any mention about SSL/TLS certs being verified now, however.

Could you maybe answer the question in the title and update the user guide to mention the Python versions where this is fixed, if it is the case? Does setuptools even rely on distutils or would that issue be fixed elsewhere?

Edit: How about python setup.py ... upload, too?

[dstufft]

I just wrote something up about this recently, here's a copy/paste:

Prior to Python 2.7.7 the Python standard library module would, when uploading software to PyPI via the setup.py upload function, by default upload over HTTP, exposing author credentials to a trivial, passive MITM attack. In 2.7.7 the default URL was changed to use HTTPS, but HTTPS was not validated until 2.7.9. Likewise in the 3.x line, it used HTTP until 3.3.4 but did not validate the HTTPS until 3.4.3.

In addition, prior to 0.7.3 setuptools also defaulted to using HTTP for the same thing (for both setup.py upload, and setup.py upload_docs) and prior to 2.0 it did not support verifying HTTPS for upload or upload_docs at all. In 2.0 it switched to utilizing the behavior in distutils, so whether it’s secure or not depends on the Python version in use.

I forgot to mention in that, but this also applies to setup.py register.

[theacodes]

This should be obsoleted by #271, but if it's not, let me know. :)