Never use python setup.py upload

Never use python setup.py upload

Published Aug. 23, 2015 in Deployment, Development - Last update on Aug. 23, 2015.

In Python packaged projects where I work, I used to add a make register command for create a new version of my package. This launch a script I wrote which make the following things:

  1. Get the version number written in package
  2. Create a git tag
  3. Push the tag to the upstream
  4. Create a package
  5. Upload package to PyPI

It looks like:

#!/bin/bash

version=$(python setup.py --version)
git rev-parse ${version} &> /dev/null
if [[ "$?" -eq 0 ]] ; then
    echo "Version '${version}' already exists."
    exit 1
fi
git tag -a ${version} -m "Version ${version}"
git push origin ${version}
python setup.py sdist
python setup.py upload

All is good until last line: python setup.py upload. It uses your user and password to authenticate with HTTP without the S. So if you don't want to publish your credentials under free licence I advise you to install twine.

Twine is a small tool for ease package management and must be use for upload your package in security. After log in, you'll only have to replace python setup.py upload by twine upload.

And all is great with TLS !

Note: Since Python 2.7.9 and 3.2, python setup.py upload is under HTTPS, but users using other will be with HTTP.

Comments

Post your comment

Comment as . Log out.