Never use python upload

Never use python upload

Published Aug. 23, 2015 in Deployment, Development - Last update on Aug. 23, 2015.

In Python packaged projects where I work, I used to add a make register command for create a new version of my package. This launch a script I wrote which make the following things:

  1. Get the version number written in package
  2. Create a git tag
  3. Push the tag to the upstream
  4. Create a package
  5. Upload package to PyPI

It looks like:


version=$(python --version)
git rev-parse ${version} &> /dev/null
if [[ "$?" -eq 0 ]] ; then
    echo "Version '${version}' already exists."
    exit 1
git tag -a ${version} -m "Version ${version}"
git push origin ${version}
python sdist
python upload

All is good until last line: python upload. It uses your user and password to authenticate with HTTP without the S. So if you don't want to publish your credentials under free licence I advise you to install twine.

Twine is a small tool for ease package management and must be use for upload your package in security. After log in, you'll only have to replace python upload by twine upload.

And all is great with TLS !

Note: Since Python 2.7.9 and 3.2, python upload is under HTTPS, but users using other will be with HTTP.


Post your comment

Comment as . Log out.