> On Jul 25, 2017, at 3:06 PM, Tres Seaver <tsea...@palladion.com> wrote: > > On 07/25/2017 05:25 PM, Noah Kantrowitz wrote: >> >>> On Jul 25, 2017, at 2:15 PM, Wes Turner <wes.tur...@gmail.com> wrote: >>> >>> >>> >>> On Tuesday, July 25, 2017, Alexander Belopolsky >>> <alexander.belopol...@gmail.com> wrote: >>> On Tue, Jul 25, 2017 at 4:18 PM, Nick Timkovich <prometheus...@gmail.com> >>> wrote: >>> .. >>>> That's because curl is kinda annoying and doesn't follow redirects by >>>> default: >>>> >>>> $ curl -i http://pypi.python.org/pypi/virtualenv/json >>>> HTTP/1.1 301 Moved Permanently >>>> ... >>> >>> Well, http://pypi.org/.. which is presumably the home of the latest >>> PyPI returns 403: >>> >>> $ curl -i http://pypi.org/pypi/virtualenv/json >>> HTTP/1.1 403 SSL is required >>> ... >>> >>> This suggests that redirects are considered to be legacy and may not >>> be supported in the future. >>> >>> Here are the warehouse routes: >>> https://github.com/pypa/warehouse/blob/master/warehouse/routes.py >>> >>> Why do you need an http to https redirect? >> >> To explain this: pypi.org is on the HSTS preload list so all major >> browsers will automatically use HTTPS for it no matter what. cURL does >> not support this feature. > Seems like having an unconditional HTTP->HTTPS redirect in place would be a > "good neighbor" kind of thing (and belt-and-suspenders, as well).
Those redirects lead to a false sense of security. As pypi.org is new and we know there are no legacy links to it out there, it does not make sense to allow http://pypi.org as a thing. There is no such website as http://pypi.org. --Noah _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
