> On Oct 28, 2014, at 9:43 AM, Antoine Pitrou <solip...@pitrou.net> wrote: > >> I think twine can do that for you (and is generally recommended these >> days over setup.py upload, as it uses https). > > setup.py upload also uses https these days, AFAIK.
Paul forgot an important word there, *verified* HTTPS. It is true that recently Python switched the default from http:// to https:// however in any released version of Python it still does not *verify* that when uploading. I believe that PEP 476 will change that but it’s not in any released Python to my knowledge and even then it’s hard to tell people “Well setup.py upload is safe, in these particular scenarios” when it’s hard to declare exactly when those scenarios are (Python versions, but also some older versions thanks to downstream back porting patches etc). It doesn’t help either that the design of distutils doesn’t allow uploading an existing file so if you, for instance, want to upload a Python 2.6 specific Wheel then that won’t have PEP 476 and then something like twine is the only way forward. All in all it’s easier to just say “don’t use that, use this instead” than to explain when and why it’s ok to use that. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig