Uploading to PyPi without Twine

I’ve previously asked about preventing twine from uploading private code to PyPi (basically, can I change the default settings so users have to explicitly type twine upload -r pypi.)

Just so I am aware of all the options, is there any way to publish package source code to PyPi without twine? Something like python setup.py bdist and then uploading that distribution manually or via CI?

See the documentation for Warehouse’s “forklift” API:

https://warehouse.pypa.io/api-reference/legacy.html#upload-api-forklift

Though it’s also entirely possible to upload packages in CI jobs
with Twine (hundreds of projects I work on do exactly that).

1 Like

In theory, you could? It’s basically a post request to PyPI’s upload API.

Honestly, at the point, it feels like we’re going through the XY problem here.

What exactly are you trying to do?

1 Like

Twine maintainer here, chiming in to say that while it does essentially wrap a POST request, Twine also reads the package metadata from the distribution, and formats it correctly for the POST. It also supports signing the uploaded files with GPG.

2 Likes

Yeah my ultimate goal is the previous discussion I linked: Preventing twine from uploading private code to PyPi by default.

If you want to reliably prevent all PyPI uploads from individual or all machines on your network, regardless of mechanism, couldn’t you just block all requests to upload.pypi.org in your corporate firewall (or HOSTS file, etc)?

IMO A network level block is the right solution in your case, along with the use of whatever relevant corporate policy mechanisms you want to employ to incentivise not publishing your private code publicly. What you can do is make it difficult to do the wrong thing with a network-level block and the other mechanisms described in that thread and use the other social/organisational tools to disincentivise behaviours you don’t want. :slight_smile:

At the end of the day, you can set up a basic roadblock that avoids doing the wrong thing by mistake, but you can’t really do much to prevent a malicious actor/motivated-to-solve-their-specific-problem-with-workarounds employee who has access to your source code from doing whatever they want with it.

1 Like