#2086 closed defect (fixed)

Use Twine to Upload Packages to PyPI

Reported by: dstufft Owned by: warner
Priority: normal Milestone: 1.10.1
Component: packaging Version: 1.10.0
Keywords: twine pypi packaging security release Cc:
Launchpad Bug:

Description

If you're using setup.py upload to PyPI you're transmitting your passwords in cleartext and without any sort of authentication of the server you're submitting them too. To combat this I created https://pypi.python.org/pypi/twine which does verify TLS. It also allows you to upload already created packages. This makes it easy to test a release prior to upload.

Not sure if it's relevant or how you upload but if you're using the setup.py upload method you probably want to stop.

Change History (9)

comment:1 Changed at 2013-10-01T17:53:30Z by daira

  • Component changed from unknown to packaging
  • Keywords twine pypi packaging security added

comment:2 Changed at 2013-10-01T17:55:39Z by daira

  • Keywords release added
  • Milestone changed from undecided to 1.11.0
  • Owner changed from daira to warner

This seems pretty straightforward, shall we try to use it for the 1.11 release?

comment:3 follow-up: Changed at 2013-10-01T17:59:58Z by daira

Our current release process says:

32  - [ ] update pypi:
33    - python setup.py register
34    - login to pypi
35    - manually upload .tar.gz tarball and .asc signature (so they match the
36      ones on tahoe-lafs.org)

comment:4 in reply to: ↑ 3 Changed at 2013-10-01T18:48:09Z by dstufft

Well you're not insecure then :) Twine would just automated the "manually upload ..." part. Twine understands asc files as well and will upload them as signatures if you pass both of them like.

    $ twine upload foo-1.0.tar.gz foo-1.0.tar.gz.asc

comment:5 Changed at 2013-10-02T00:35:29Z by warner

seems reasonable :)

comment:6 Changed at 2014-04-25T22:26:53Z by Brian Warner <warner@…>

  • Resolution set to fixed
  • Status changed from new to closed

In a724c09ab8150448cbc308e5c7f62b307def34eb/trunk:

release docs: recommend Twine for package upload. Closes #2086.

comment:7 Changed at 2014-04-25T23:16:47Z by Brian Warner <warner@…>

In a724c09ab8150448cbc308e5c7f62b307def34eb/trunk:

release docs: recommend Twine for package upload. Closes #2086.

comment:8 Changed at 2014-04-26T20:13:28Z by Brian Warner <warner@…>

In a724c09ab8150448cbc308e5c7f62b307def34eb/trunk:

release docs: recommend Twine for package upload. Closes #2086.

comment:9 Changed at 2014-04-26T20:28:13Z by Brian Warner <warner@…>

In a724c09ab8150448cbc308e5c7f62b307def34eb/trunk:

release docs: recommend Twine for package upload. Closes #2086.

Note: See TracTickets for help on using tickets.