You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the Register your Project section, it is suggested to directly upload the PKG-INFO file instead of invoking python setup.py register, which didn't use secure connections previously and thus exposed credentials over network in plaintext.
The twine readme states that https is being used now (since 2.7 and 3.2, two years ago), but the cert is not verified according to the referenced issue. I couldn't find any mention about SSL/TLS certs being verified now, however.
Could you maybe answer the question in the title and update the user guide to mention the Python versions where this is fixed, if it is the case? Does setuptools even rely on distutils or would that issue be fixed elsewhere?
Edit: How about python setup.py ... upload, too?
The text was updated successfully, but these errors were encountered:
I just wrote something up about this recently, here's a copy/paste:
Prior to Python 2.7.7 the Python standard library module would, when uploading software to PyPI via the setup.py upload function, by default upload over HTTP, exposing author credentials to a trivial, passive MITM attack. In 2.7.7 the default URL was changed to use HTTPS, but HTTPS was not validated until 2.7.9. Likewise in the 3.x line, it used HTTP until 3.3.4 but did not validate the HTTPS until 3.4.3.
In addition, prior to 0.7.3 setuptools also defaulted to using HTTP for the same thing (for both setup.py upload, and setup.py upload_docs) and prior to 2.0 it did not support verifying HTTPS for upload or upload_docs at all. In 2.0 it switched to utilizing the behavior in distutils, so whether it’s secure or not depends on the Python version in use.
I forgot to mention in that, but this also applies to setup.py register.
In the Register your Project section, it is suggested to directly upload the
PKG-INFO
file instead of invokingpython setup.py register
, which didn't use secure connections previously and thus exposed credentials over network in plaintext.The twine readme states that https is being used now (since 2.7 and 3.2, two years ago), but the cert is not verified according to the referenced issue. I couldn't find any mention about SSL/TLS certs being verified now, however.
Could you maybe answer the question in the title and update the user guide to mention the Python versions where this is fixed, if it is the case? Does
setuptools
even rely ondistutils
or would that issue be fixed elsewhere?Edit: How about
python setup.py ... upload
, too?The text was updated successfully, but these errors were encountered: