the twine package in Python is used to upload stuff to PyPi using HTTPs.
I am already using Python 2.7.9, and the twine readme says, 'only recently Python 2.7.9 stopped using HTTP.'
Does it mean that when I do python setup.py upload, the connection is already secure? If the answer is yes, does twine offer any additional security advantage for uploading?
$ python --version
Python 2.7.10
$ cat /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/config.py
class PyPIRCCommand(Command):
"""Base command that knows how to handle the .pypirc file
"""
DEFAULT_REPOSITORY = 'https://pypi.python.org/pypi'
$ cat /Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/distutils/command/upload.py
repository = self.repository or self.DEFAULT_REPOSITORY
...
request = Request(self.repository, data=body, headers=headers)
So i guess that's true, distutils really uses HTTPS now.
But twine also allows you to sign your packages before upload with a GPG key.
